Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability

• To: www-security@ns2.rutgers.edu
• Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Scott Silvey <scott@swindle.Berkeley.EDU>
• Date: Thu, 16 Feb 1995 17:49:32 -0800
• In-Reply-To: Your message of "Thu, 16 Feb 1995 09:12:06 MST." <199502161612.JAA16088@seagull.rtd.com>
• Reply-To: www-security@ns2.rutgers.edu

# The problem is none of the patches of adjusting the size of the "tmp"
# array in strsubfirst() really fix the overall problem.
# 
# If the input array (dest) is sized to HUGE_STRING_LEN and is full,
# then the input array (dest) will overrun whatever follows it when the
# 	strcpy(&dest[strlen(src)],tmp);
# is executed because now the total number of bytes placed in dest is
# "what was there" plus (in the case most recently discussed) the
# contents of document_root_path.

Any reason why the following wouldn't be an adequate fix?:

void strsubfirst(int start,char *dest, char *src)
{
    char tmp[MAX_STRING_LEN];

    strncpy(tmp,&dest[start],MAX_STRING_LEN);
    strcpy(dest,src);
    strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
}

If you see a problem with this, please let me know.

Thanks,

Scott

• Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Dana Hudes <dhudes@panix.com>
• Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: rosenthl@mcc.com (Doug Rosenthal)

• Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• From: Ric Anderson <ric@seagull.rtd.com>

• Previous: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• Next: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
• Index(es):
  • Index
  • Thread