SECURITY: CVE-2006-3747 (cve.mitre.org)

mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling.  For some RewriteRules this could lead to a pointer being
written out of bounds.  Reported by Mark Dowd of McAfee.

Reviewed by: trawick, lars, jorton, wrowe, benl

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@426146 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index f8e48febb507891f7c22442025019c953b0dc9f2..5f2090a834697cbbf900126bbbec5b541e03b430 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,11 @@
 Changes with Apache 1.3.37
 
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+
 Changes with Apache 1.3.36
 
   *) Reverted SVN rev #396294 due to unwanted regression.

diff --git a/src/modules/standard/mod_rewrite.c b/src/modules/standard/mod_rewrite.c
index fafc8a31657bf241b895f1694af3bcbc76d74abb..35db954fb6debbd9a0894748b04ddc4fbac085ff 100644 (file)
--- a/src/modules/standard/mod_rewrite.c
+++ b/src/modules/standard/mod_rewrite.c
@@ -2736,7 +2736,7 @@ static char *escape_absolute_uri(ap_pool *p, char *uri, unsigned scheme)
             int c = 0;
 
             token[0] = cp = ap_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';