[409] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Scott Silvey)
Thu Feb 16 23:47:37 1995
To: www-security@ns2.rutgers.edu
In-Reply-To: Your message of "Thu, 16 Feb 1995 09:12:06 MST."
<199502161612.JAA16088@seagull.rtd.com>
Date: Thu, 16 Feb 1995 17:49:32 -0800
From: Scott Silvey <scott@swindle.Berkeley.EDU>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
# The problem is none of the patches of adjusting the size of the "tmp"
# array in strsubfirst() really fix the overall problem.
#
# If the input array (dest) is sized to HUGE_STRING_LEN and is full,
# then the input array (dest) will overrun whatever follows it when the
# strcpy(&dest[strlen(src)],tmp);
# is executed because now the total number of bytes placed in dest is
# "what was there" plus (in the case most recently discussed) the
# contents of document_root_path.
Any reason why the following wouldn't be an adequate fix?:
void strsubfirst(int start,char *dest, char *src)
{
char tmp[MAX_STRING_LEN];
strncpy(tmp,&dest[start],MAX_STRING_LEN);
strcpy(dest,src);
strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
}
If you see a problem with this, please let me know.
Thanks,
Scott
