diff options
| author | Daniel Earl Poirier <poirier@apache.org> | 2009-07-24 19:15:29 +0200 |
|---|---|---|
| committer | Daniel Earl Poirier <poirier@apache.org> | 2009-07-24 19:15:29 +0200 |
| commit | 0e4810f9006da33eff6af211d4d8418545271b75 (patch) | |
| tree | 56bf6c62a26caccf059b6389183cc4a80e2c8e93 /support/htdbm.c | |
| parent | In the case where we have no members, they aren't in error (diff) | |
| download | apache2-0e4810f9006da33eff6af211d4d8418545271b75.tar.xz apache2-0e4810f9006da33eff6af211d4d8418545271b75.zip | |
htdbm: Fix possible buffer overflow if dbm database has very
long values. PR 30586 [Dan Poirier]
PR 30586
Reported by: Ulf Harnhammar, Swedish IT Incident Centre
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@797563 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
| -rw-r--r-- | support/htdbm.c | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/support/htdbm.c b/support/htdbm.c index b98d686220..74bff82003 100644 --- a/support/htdbm.c +++ b/support/htdbm.c @@ -219,7 +219,7 @@ static apr_status_t htdbm_del(htdbm_t *htdbm) static apr_status_t htdbm_verify(htdbm_t *htdbm) { apr_datum_t key, val; - char pwd[MAX_STRING_LEN] = {0}; + char *pwd; char *rec, *cmnt; key.dptr = htdbm->username; @@ -231,9 +231,9 @@ static apr_status_t htdbm_verify(htdbm_t *htdbm) rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize); cmnt = strchr(rec, ':'); if (cmnt) - strncpy(pwd, rec, cmnt - rec); + pwd = apr_pstrndup(htdbm->pool, rec, cmnt - rec); else - strcpy(pwd, rec); + pwd = apr_pstrdup(htdbm->pool, rec); return apr_password_validate(htdbm->userpass, pwd); } @@ -242,7 +242,7 @@ static apr_status_t htdbm_list(htdbm_t *htdbm) apr_status_t rv; apr_datum_t key, val; char *rec, *cmnt; - char kb[MAX_STRING_LEN]; + char *kb; int i = 0; rv = apr_dbm_firstkey(htdbm->dbm, &key); @@ -250,8 +250,6 @@ static apr_status_t htdbm_list(htdbm_t *htdbm) fprintf(stderr, "Empty database -- %s\n", htdbm->filename); return APR_ENOENT; } - rec = apr_pcalloc(htdbm->pool, HUGE_STRING_LEN); - fprintf(stderr, "Dumping records from database -- %s\n", htdbm->filename); fprintf(stderr, " %-32sComment\n", "Username"); while (key.dptr != NULL) { @@ -260,11 +258,9 @@ static apr_status_t htdbm_list(htdbm_t *htdbm) fprintf(stderr, "Failed getting data from %s\n", htdbm->filename); return APR_EGENERAL; } - strncpy(kb, key.dptr, key.dsize); - kb[key.dsize] = '\0'; + kb = apr_pstrndup(htdbm->pool, key.dptr, key.dsize); fprintf(stderr, " %-32s", kb); - strncpy(rec, val.dptr, val.dsize); - rec[val.dsize] = '\0'; + rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize); cmnt = strchr(rec, ':'); if (cmnt) fprintf(stderr, "%s", cmnt + 1); |