[402] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Thu Feb 16 17:07:55 1995
Date: Thu, 16 Feb 1995 09:56:42 -0800 (PST)
From: Brian Behlendorf <brian@wired.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <9502152131.AA21296@mccarthy.csd.uwo.ca>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 15 Feb 1995, A Warren Pratten wrote:
> -> /* The default string lengths */
> -> #define MAX_STRING_LEN 256
> -> #define HUGE_STRING_LEN 8192
> ->
> -> to:
> ->
> -> /* The default string lengths */
> -> #define HUGE_STRING_LEN 8192
> -> #define MAX_STRING_LEN HUGE_STRING_LEN
> ->
> -> Then rebuild, install, and restart the new httpd server.
>
> This is a pathetic fix. Sure it will solve the problem for a short time until
> a clever hacker realises that all he/she has to do is overflow a larger
> buffer.
This is also a huge performance hit. I implemented this yesterday only
to watch our servers melt due to all the memory swapping taking place
(16 pages of memory per buffer vs. 1 page before).
> I think I will opt for patching the source so that is does some sort of bound
> check on the buffer. At least until NCSA provides an official fix.
There were some other mods posted here recently that provided a much
nicer fix.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
