[Previous] [Next] [Index]
[Thread]
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
On Thu, 16 Feb 1995, Scott Silvey wrote:
> Date: Thu, 16 Feb 1995 17:49:32 -0800
> From: Scott Silvey <scott@swindle.Berkeley.EDU>
> To: www-security@ns2.rutgers.edu
> Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
>
>
> # The problem is none of the patches of adjusting the size of the "tmp"
> # array in strsubfirst() really fix the overall problem.
> #
> Any reason why the following wouldn't be an adequate fix?:
>
> void strsubfirst(int start,char *dest, char *src)
> {
> char tmp[MAX_STRING_LEN];
>
> strncpy(tmp,&dest[start],MAX_STRING_LEN);
> strcpy(dest,src);
> strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
> }
>
> If you see a problem with this, please let me know.
>
> Thanks,
>
> Scott
>
First thing comes to my mind is that strncpy doesn't put a null at the end.
In the case where you have a MAX_STRING_LEN string the rest of the code
would run past the end of the buffer. If you make tmp [MAX_STRING_LEN + 1]
and tmp [MAX_STRING_LEN] = '\0' you should be covered since strncpy will
never copy anything to that index.
References: