[1002] in bugtraq
Re: Vulnerability in NCSA HTTPD 1.3
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Wed Feb 15 09:40:51 1995
From: Thomas Roessler <roessler@sobolev.cologne.de>
To: ccshag@cclabs.missouri.edu (Paul 'Shag' Walmsley)
Date: Wed, 15 Feb 1995 00:42:03 +0100 (MET)
Cc: lopatic@dbs.informatik.uni-muenchen.de, bugtraq@fc.net,
roessler@sobolev.cologne.de (Thomas Roessler)
In-Reply-To: <Pine.SGI.3.91.950214002710.12040A-100000@sgi2.phlab.missouri.edu> from "Paul 'Shag' Walmsley" at Feb 14, 95 00:33:05 am
Paul 'Shag' Walmsley wrote:
> As Thomas implied, this particular problem can probably be fixed by
> changing line 161 of util.c from
>
> char tmp[MAX_STRING_LEN];
> to
> char tmp[HUGE_STRING_LEN];
>
> in NCSA's source. We're running with the HUGE_STRING_LEN tmp now with no
> (immediately apparent) bad side-effects (other than Thomas' hack not working
> any more ;)
Sounds reasonable. But what will happen if the destination parameter of
strsubfirst() is too small to hold the result? No checking is done... I
would suggest to additionally increase all the buffer sizes, except the
number of bytes read from the client. I did so at our institute's server,
and it seems to work fine.
--
Internet: roessler@indi5.iam.uni-bonn.de
Private email: roessler@sobolev.cologne.de
