Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability

To: www-security@ns2.rutgers.edu
Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
From: Dana Hudes <dhudes@panix.com>
Date: Fri, 17 Feb 1995 10:39:51 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9502170149.AA15000@swindle.Berkeley.EDU>
Reply-To: www-security@ns2.rutgers.edu

On Thu, 16 Feb 1995, Scott Silvey wrote:

> Date: Thu, 16 Feb 1995 17:49:32 -0800
> From: Scott Silvey <scott@swindle.Berkeley.EDU>
> To: www-security@ns2.rutgers.edu
> Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability 
> 
> 
> # The problem is none of the patches of adjusting the size of the "tmp"
> # array in strsubfirst() really fix the overall problem.
> # 
> Any reason why the following wouldn't be an adequate fix?:
> 
> void strsubfirst(int start,char *dest, char *src)
> {
>     char tmp[MAX_STRING_LEN];
> 
>     strncpy(tmp,&dest[start],MAX_STRING_LEN);
>     strcpy(dest,src);
>     strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
> }
> 
> If you see a problem with this, please let me know.
> 
> Thanks,
> 
> Scott
> 

First thing comes to my mind is that strncpy doesn't put a null at the end.
In the case where you have a MAX_STRING_LEN string the rest of the code
would run past the end of the buffer.  If you make tmp [MAX_STRING_LEN + 1]
and tmp [MAX_STRING_LEN] = '\0' you should be covered since strncpy will 
never copy anything to that index.

References:

Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability

From: Scott Silvey <scott@swindle.Berkeley.EDU>

Previous: Re: Unix NCSA httpd Vulnerability
Next: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
Index(es):
- Index
- Thread