On Tue, 14 Feb 1995, Thomas Lopatic wrote: > Hi there, > > in addition to the posted patches, which fix the problem documented, I'd like > to suggest the following measures to make sure that buffer overflows don't > happen in other parts of the daemon either. Please comment. > > 1. define HUGE_STRING_LEN and MAX_STRING_LEN to a value of 4000 each > (file httpd.h) > > 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN > (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead > of getline(l,HUGE_STRING_LEN,in,timeout)) > > This should at first sight pretty much eliminate the problem. It isn't at all > good style, but it should do until an official patch is ready. Does anyone see > any problems with this? > > Greetings, > -Thomas > I have taken Thomas' fixes (with one slight change, see below) and added them to Christopher Davis' fix and built a patch for ease of installation. To use this, save the text after the "cut here" line as "httpd_1.3.patch", download the source for httpd 1.3 from ftp.ncsa.uiuc.edu:/Web/httpd/Unix/ncsa_httpd/httpd_1.3/httpd_source.tar.Z, uncompress and untar it, and then cd into the httpd_1.3/src directory and type "patch < ../../httpd_1.3.patch". The difference between the suggestions above and the patch below is that I set HUGE_STRING_LEN and MAX_STRING_LEN to 4096 (rather than 4000). If this presents any additional problems, please tell me. There are no warranties associated with this patch. Install at your own risk. Have fun. - Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu> "I'll drink a toast to bold evolution any day!" ----[ cut here ]---------------------------------------- diff -c -r httpd_1.3/src/http_request.c httpd_1.3a/src/http_request.c *** httpd_1.3/src/http_request.c Sat May 7 21:47:09 1994 --- httpd_1.3a/src/http_request.c Wed Feb 15 23:28:35 1995 *************** *** 2,8 **** * http_request.c: functions to get and process requests * * Rob McCool 3/21/93 ! * */ --- 2,8 ---- * http_request.c: functions to get and process requests * * Rob McCool 3/21/93 ! * */ *************** *** 101,107 **** handle_request: #endif l[0] = '\0'; ! if(getline(l,HUGE_STRING_LEN,in,timeout)) return; if(!l[0]) return; --- 101,107 ---- handle_request: #endif l[0] = '\0'; ! if(getline(l,HUGE_STRING_LEN/4,in,timeout)) /* security patch */ return; if(!l[0]) return; diff -c -r httpd_1.3/src/httpd.h httpd_1.3a/src/httpd.h *** httpd_1.3/src/httpd.h Sat May 7 21:47:12 1994 --- httpd_1.3a/src/httpd.h Wed Feb 15 23:30:35 1995 *************** *** 251,258 **** #define SHELL_PATH "/bin/sh" /* The default string lengths */ ! #define MAX_STRING_LEN 256 ! #define HUGE_STRING_LEN 8192 /* The timeout for waiting for messages */ #define DEFAULT_TIMEOUT 1200 --- 251,258 ---- #define SHELL_PATH "/bin/sh" /* The default string lengths */ ! #define MAX_STRING_LEN 4096 /* security patch */ ! #define HUGE_STRING_LEN 4096 /* security patch */ /* The timeout for waiting for messages */ #define DEFAULT_TIMEOUT 1200 diff -c -r httpd_1.3/src/util.c httpd_1.3a/src/util.c *** httpd_1.3/src/util.c Sat May 7 21:47:15 1994 --- httpd_1.3a/src/util.c Wed Feb 15 23:32:00 1995 *************** *** 158,164 **** void strsubfirst(int start,char *dest, char *src) { ! char tmp[MAX_STRING_LEN]; strcpy(tmp,&dest[start]); strcpy(dest,src); --- 158,164 ---- void strsubfirst(int start,char *dest, char *src) { ! char tmp[MAX_STRING_LEN+HUGE_STRING_LEN]; /* security patch */ strcpy(tmp,&dest[start]); strcpy(dest,src);