[Previous] [Next] [Index]
[Thread]
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
# The problem is none of the patches of adjusting the size of the "tmp"
# array in strsubfirst() really fix the overall problem.
#
# If the input array (dest) is sized to HUGE_STRING_LEN and is full,
# then the input array (dest) will overrun whatever follows it when the
# strcpy(&dest[strlen(src)],tmp);
# is executed because now the total number of bytes placed in dest is
# "what was there" plus (in the case most recently discussed) the
# contents of document_root_path.
Any reason why the following wouldn't be an adequate fix?:
void strsubfirst(int start,char *dest, char *src)
{
char tmp[MAX_STRING_LEN];
strncpy(tmp,&dest[start],MAX_STRING_LEN);
strcpy(dest,src);
strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
}
If you see a problem with this, please let me know.
Thanks,
Scott
Follow-Ups:
References: