Bugtraq mailing list archives
Re: Fixing the NCSA HTTPD 1.3
From: ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)
Date: Wed, 15 Feb 1995 23:57:26 -0600 (CST)
On Tue, 14 Feb 1995, Thomas Lopatic wrote:
Hi there, in addition to the posted patches, which fix the problem documented, I'd like to suggest the following measures to make sure that buffer overflows don't happen in other parts of the daemon either. Please comment. 1. define HUGE_STRING_LEN and MAX_STRING_LEN to a value of 4000 each (file httpd.h) 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead of getline(l,HUGE_STRING_LEN,in,timeout)) This should at first sight pretty much eliminate the problem. It isn't at all good style, but it should do until an official patch is ready. Does anyone see any problems with this? Greetings, -Thomas
I have taken Thomas' fixes (with one slight change, see below) and added them to Christopher Davis' fix and built a patch for ease of installation. To use this, save the text after the "cut here" line as "httpd_1.3.patch", download the source for httpd 1.3 from ftp.ncsa.uiuc.edu:/Web/httpd/Unix/ncsa_httpd/httpd_1.3/httpd_source.tar.Z, uncompress and untar it, and then cd into the httpd_1.3/src directory and type "patch < ../../httpd_1.3.patch". The difference between the suggestions above and the patch below is that I set HUGE_STRING_LEN and MAX_STRING_LEN to 4096 (rather than 4000). If this presents any additional problems, please tell me. There are no warranties associated with this patch. Install at your own risk. Have fun. - Paul "Shag" Walmsley <ccshag () cclabs missouri edu> "I'll drink a toast to bold evolution any day!" ----[ cut here ]---------------------------------------- diff -c -r httpd_1.3/src/http_request.c httpd_1.3a/src/http_request.c *** httpd_1.3/src/http_request.c Sat May 7 21:47:09 1994 --- httpd_1.3a/src/http_request.c Wed Feb 15 23:28:35 1995 *************** *** 2,8 **** * http_request.c: functions to get and process requests * * Rob McCool 3/21/93 ! * */ --- 2,8 ---- * http_request.c: functions to get and process requests * * Rob McCool 3/21/93 ! * */ *************** *** 101,107 **** handle_request: #endif l[0] = '\0'; ! if(getline(l,HUGE_STRING_LEN,in,timeout)) return; if(!l[0]) return; --- 101,107 ---- handle_request: #endif l[0] = '\0'; ! if(getline(l,HUGE_STRING_LEN/4,in,timeout)) /* security patch */ return; if(!l[0]) return; diff -c -r httpd_1.3/src/httpd.h httpd_1.3a/src/httpd.h *** httpd_1.3/src/httpd.h Sat May 7 21:47:12 1994 --- httpd_1.3a/src/httpd.h Wed Feb 15 23:30:35 1995 *************** *** 251,258 **** #define SHELL_PATH "/bin/sh" /* The default string lengths */ ! #define MAX_STRING_LEN 256 ! #define HUGE_STRING_LEN 8192 /* The timeout for waiting for messages */ #define DEFAULT_TIMEOUT 1200 --- 251,258 ---- #define SHELL_PATH "/bin/sh" /* The default string lengths */ ! #define MAX_STRING_LEN 4096 /* security patch */ ! #define HUGE_STRING_LEN 4096 /* security patch */ /* The timeout for waiting for messages */ #define DEFAULT_TIMEOUT 1200 diff -c -r httpd_1.3/src/util.c httpd_1.3a/src/util.c *** httpd_1.3/src/util.c Sat May 7 21:47:15 1994 --- httpd_1.3a/src/util.c Wed Feb 15 23:32:00 1995 *************** *** 158,164 **** void strsubfirst(int start,char *dest, char *src) { ! char tmp[MAX_STRING_LEN]; strcpy(tmp,&dest[start]); strcpy(dest,src); --- 158,164 ---- void strsubfirst(int start,char *dest, char *src) { ! char tmp[MAX_STRING_LEN+HUGE_STRING_LEN]; /* security patch */ strcpy(tmp,&dest[start]); strcpy(dest,src);
Current thread:
- Vulnerability in NCSA HTTPD 1.3 Thomas Lopatic (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Robert M. Haas (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 16)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Fixing the NCSA HTTPD 1.3 Thomas Lopatic (Feb 14)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Rens Troost (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- For NCSA Http_1.05a Everett F Batey WA6CRE (Feb 15)
- Sendmail 8.6.9 Nathan Lawson (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 14)
- Re: Sendmail 8.6.9 Tom Fitzgerald (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 15)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
- <Possible follow-ups>
- Re: Vulnerability in NCSA HTTPD 1.3 Edy (Feb 14)