[416] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Dana Hudes)
Fri Feb 17 14:53:04 1995
Date: Fri, 17 Feb 1995 10:39:51 -0500 (EST)
From: Dana Hudes <dhudes@panix.com>
To: www-security@ns2.rutgers.edu
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9502170149.AA15000@swindle.Berkeley.EDU>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 16 Feb 1995, Scott Silvey wrote:
> Date: Thu, 16 Feb 1995 17:49:32 -0800
> From: Scott Silvey <scott@swindle.Berkeley.EDU>
> To: www-security@ns2.rutgers.edu
> Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
>
>
> # The problem is none of the patches of adjusting the size of the "tmp"
> # array in strsubfirst() really fix the overall problem.
> #
> Any reason why the following wouldn't be an adequate fix?:
>
> void strsubfirst(int start,char *dest, char *src)
> {
> char tmp[MAX_STRING_LEN];
>
> strncpy(tmp,&dest[start],MAX_STRING_LEN);
> strcpy(dest,src);
> strncpy(&dest[strlen(src)],tmp,MAX_STRING_LEN);
> }
>
> If you see a problem with this, please let me know.
>
> Thanks,
>
> Scott
>
First thing comes to my mind is that strncpy doesn't put a null at the end.
In the case where you have a MAX_STRING_LEN string the rest of the code
would run past the end of the buffer. If you make tmp [MAX_STRING_LEN + 1]
and tmp [MAX_STRING_LEN] = '\0' you should be covered since strncpy will
never copy anything to that index.
