SECURITY: CVE-2006-3747 (cve.mitre.org)

mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling.  For some RewriteRules this could lead to a pointer being
written out of bounds.  Reported by Mark Dowd of McAfee.

Reviewed by: trawick, lars, jorton, wrowe, benl

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@426144 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index d34b430bc7c020378bbd4a0deccda41fe2d2d484..37ad82c8f2d5d85af2a8c900e1dcac9a3923e9fb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.59
 
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+
 Changes with Apache 2.0.58
 
   *) Legal: Restored original years in copyright notices.

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 078f1b027c865da684ab1b66b835bced4d9690e6..dcbac539add607452d049536653ba8fda46f8918 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -2906,7 +2906,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
             int c = 0;
 
             token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';