[1010] in bugtraq
Re: Fixing the NCSA HTTPD 1.3
daemon@ATHENA.MIT.EDU (Paul 'Shag' Walmsley)
Thu Feb 16 02:44:54 1995
Date: Wed, 15 Feb 1995 23:57:26 -0600 (CST)
From: "Paul 'Shag' Walmsley" <ccshag@cclabs.missouri.edu>
To: Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>
Cc: bugtraq@fc.net, riddle@is.rice.edu, andrew@www.elsevier.co.uk,
ckd@loiosh.kei.com
In-Reply-To: <199502141854.TAA02860@lionsden.informatik.uni-muenchen.de>
On Tue, 14 Feb 1995, Thomas Lopatic wrote:
> Hi there,
>
> in addition to the posted patches, which fix the problem documented, I'd like
> to suggest the following measures to make sure that buffer overflows don't
> happen in other parts of the daemon either. Please comment.
>
> 1. define HUGE_STRING_LEN and MAX_STRING_LEN to a value of 4000 each
> (file httpd.h)
>
> 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN
> (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead
> of getline(l,HUGE_STRING_LEN,in,timeout))
>
> This should at first sight pretty much eliminate the problem. It isn't at all
> good style, but it should do until an official patch is ready. Does anyone see
> any problems with this?
>
> Greetings,
> -Thomas
>
I have taken Thomas' fixes (with one slight change, see below) and added
them to Christopher Davis' fix and built a patch for ease of installation.
To use this, save the text after the "cut here" line as "httpd_1.3.patch",
download the source for httpd 1.3 from
ftp.ncsa.uiuc.edu:/Web/httpd/Unix/ncsa_httpd/httpd_1.3/httpd_source.tar.Z,
uncompress and untar it, and then cd into the httpd_1.3/src directory and
type "patch < ../../httpd_1.3.patch".
The difference between the suggestions above and the patch below is that
I set HUGE_STRING_LEN and MAX_STRING_LEN to 4096 (rather than 4000). If
this presents any additional problems, please tell me.
There are no warranties associated with this patch. Install at your own
risk. Have fun.
- Paul "Shag" Walmsley <ccshag@cclabs.missouri.edu>
"I'll drink a toast to bold evolution any day!"
----[ cut here ]----------------------------------------
diff -c -r httpd_1.3/src/http_request.c httpd_1.3a/src/http_request.c
*** httpd_1.3/src/http_request.c Sat May 7 21:47:09 1994
--- httpd_1.3a/src/http_request.c Wed Feb 15 23:28:35 1995
***************
*** 2,8 ****
* http_request.c: functions to get and process requests
*
* Rob McCool 3/21/93
! *
*/
--- 2,8 ----
* http_request.c: functions to get and process requests
*
* Rob McCool 3/21/93
! *
*/
***************
*** 101,107 ****
handle_request:
#endif
l[0] = '\0';
! if(getline(l,HUGE_STRING_LEN,in,timeout))
return;
if(!l[0])
return;
--- 101,107 ----
handle_request:
#endif
l[0] = '\0';
! if(getline(l,HUGE_STRING_LEN/4,in,timeout)) /* security patch */
return;
if(!l[0])
return;
diff -c -r httpd_1.3/src/httpd.h httpd_1.3a/src/httpd.h
*** httpd_1.3/src/httpd.h Sat May 7 21:47:12 1994
--- httpd_1.3a/src/httpd.h Wed Feb 15 23:30:35 1995
***************
*** 251,258 ****
#define SHELL_PATH "/bin/sh"
/* The default string lengths */
! #define MAX_STRING_LEN 256
! #define HUGE_STRING_LEN 8192
/* The timeout for waiting for messages */
#define DEFAULT_TIMEOUT 1200
--- 251,258 ----
#define SHELL_PATH "/bin/sh"
/* The default string lengths */
! #define MAX_STRING_LEN 4096 /* security patch */
! #define HUGE_STRING_LEN 4096 /* security patch */
/* The timeout for waiting for messages */
#define DEFAULT_TIMEOUT 1200
diff -c -r httpd_1.3/src/util.c httpd_1.3a/src/util.c
*** httpd_1.3/src/util.c Sat May 7 21:47:15 1994
--- httpd_1.3a/src/util.c Wed Feb 15 23:32:00 1995
***************
*** 158,164 ****
void strsubfirst(int start,char *dest, char *src)
{
! char tmp[MAX_STRING_LEN];
strcpy(tmp,&dest[start]);
strcpy(dest,src);
--- 158,164 ----
void strsubfirst(int start,char *dest, char *src)
{
! char tmp[MAX_STRING_LEN+HUGE_STRING_LEN]; /* security patch */
strcpy(tmp,&dest[start]);
strcpy(dest,src);
