SECURITY: CVE-2006-3747 (cve.mitre.org)

mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling.  For some RewriteRules this could lead to a pointer being
written out of bounds.  Reported by Mark Dowd of McAfee.

Ack: trawick, lars, jorton, wrowe, benl

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@426141 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 1e13aaecf72a2c64370561b2b5985d84c600f270..9ea66a88dfd8ce01dd9f934ae763163476d58574 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.3
 
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+  
   *) mod_authn_alias: Add a check to make sure that the base provider and the
      alias names are different and also that the alias has not been registered
      before. PR 40051. [Brad Nicholes]

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index aa54ffba9ab998685cba92e6a612e99933e33874..58f348a622341be61c84fe02fa713c9ecefc32f6 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -667,7 +667,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
             int c = 0;
 
             token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';