Re: [PATCH] mod_proxy truncates status line
Adam Sussman wrote: Are you 100% sure the buffer is big enough to do this? If the buffer is of size len the zero will be written past the end of the buffer. In the current code, len is strlen(buffer) so it can be safely assumed to be one less than the length of the buffer (provided of course that ap_proxy_string_read can be trusted). The contents of a buffer can never be trusted though - this could be exploited as an overflow and potentially an exploit. Regards, Graham -- - [EMAIL PROTECTED]There's a moon over Bourbon Street tonight... smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] mod_proxy truncates status line
On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote: Adam Sussman wrote: Mod_proxy truncates the status line returned by the proxied server. One character gets snipped off of the end of the status line. Are you 100% sure the buffer is big enough to do this? If the buffer is of size len the zero will be written past the end of the buffer. In the current code, len is strlen(buffer) ... Which means that we can just remove the assignment entirely. buffer is already NULL terminated else strlen would be blowing up. In fact, ap_proxy_string_read() NULL terminates the returned buffer. Bill
Re: [PATCH] mod_proxy truncates status line
Adam Sussman wrote: Mod_proxy truncates the status line returned by the proxied server. One character gets snipped off of the end of the status line. Are you 100% sure the buffer is big enough to do this? If the buffer is of size len the zero will be written past the end of the buffer. Index: modules/proxy/proxy_http.c === RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v retrieving revision 1.114 diff -u -r1.114 proxy_http.c --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 +++ proxy_http.c29 Dec 2001 00:12:21 - @@ -689,7 +689,7 @@ server: , buffer, NULL)); } backasswards = 0; -buffer[--len] = '\0'; +buffer[len] = '\0'; buffer[12] = '\0'; r-status = atoi(buffer[9]); Regards, Graham -- - [EMAIL PROTECTED]There's a moon over Bourbon Street tonight... smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] mod_proxy truncates status line
On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote: Adam Sussman wrote: Mod_proxy truncates the status line returned by the proxied server. One character gets snipped off of the end of the status line. Are you 100% sure the buffer is big enough to do this? If the buffer is of size len the zero will be written past the end of the buffer. In the current code, len is strlen(buffer) so it can be safely assumed to be one less than the length of the buffer (provided of course that ap_proxy_string_read can be trusted). In any case, the specific setting of a null character in a way that truncates valid data is not appropriate here. Buffer and len must be sized appropriatly. I believe that they are correct. -adam Index: modules/proxy/proxy_http.c === RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v retrieving revision 1.114 diff -u -r1.114 proxy_http.c --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 +++ proxy_http.c29 Dec 2001 00:12:21 - @@ -689,7 +689,7 @@ server: , buffer, NULL)); } backasswards = 0; -buffer[--len] = '\0'; +buffer[len] = '\0'; buffer[12] = '\0'; r-status = atoi(buffer[9]); Regards, Graham -- - [EMAIL PROTECTED] There's a moon over Bourbon Street tonight... -- I believe in Kadath in the cold waste, and Ultima Thule. But you cannot prove to me that Harvard Law School actually exists. - Theodora Goss I'm not like that, I have a cat, I don't need you.. My cat, and about 18 lines of bourne shell code replace you in life. - anonymous Adam Sussman Vidya Media Ventures [EMAIL PROTECTED]
[PATCH] mod_proxy truncates status line
Mod_proxy truncates the status line returned by the proxied server. One character gets snipped off of the end of the status line. -adam Index: modules/proxy/proxy_http.c === RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v retrieving revision 1.114 diff -u -r1.114 proxy_http.c --- proxy_http.c19 Dec 2001 16:32:01 - 1.114 +++ proxy_http.c29 Dec 2001 00:12:21 - @@ -689,7 +689,7 @@ server: , buffer, NULL)); } backasswards = 0; -buffer[--len] = '\0'; +buffer[len] = '\0'; buffer[12] = '\0'; r-status = atoi(buffer[9]);