ab.c was using strncat incorrectly as well as not checking for possible

author Jim Jagielski <jim@apache.org>

Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)

committer Jim Jagielski <jim@apache.org>

Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)
author Jim Jagielski <jim@apache.org>
Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)
committer Jim Jagielski <jim@apache.org>
Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)
diff --git a/src/CHANGES b/src/CHANGES

index 85277e9c33479f7d68351be00a6ef415efc1e5b6..c830670f0ab564d9336cbdd1b677beb162f58e4c 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,8 @@
  Changes with Apache 1.3.27
  
+  *) Fix some possible overflows in ab.c noted by David Wagner.
+     [Jim Jagielski]
+
    *) Included a patch submitted by Sander van Zoest (#9181) and
       written by Michael Radwin whichs is essentially a work around
       for the adding headers to error responses. As apache does not
diff --git a/src/support/ab.c b/src/support/ab.c

index 53af498ccba174809a9a6e38889d0dacb16b3682..76c4ea2a676487471e930bcc1d7129102da698a9 100644 (file)
--- a/src/support/ab.c
+++ b/src/support/ab.c
@@ -1079,11 +1079,12 @@ static void read_connection(struct connection * c)
                  * this is first time, extract some interesting info
                  */
                 char *p, *q;
+               int qlen;
                 p = strstr(c->cbuff, "Server:");
-               q = servername;
+               q = servername; qlen = sizeof(servername);
                 if (p) {
                     p += 8;
-                   while (*p > 32)
+                   while (*p > 32 && qlen-- > 1) 
                         *q++ = *p++;
                 }
                 *q = 0;
@@ -1351,14 +1352,14 @@ static void test(void)
  static void copyright(void)
  {
      if (!use_html) {
-       printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.66 $> apache-1.3");
+       printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.67 $> apache-1.3");
         printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
         printf("Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/\n");
         printf("\n");
      }
      else {
         printf("<p>\n");
-       printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i> apache-1.3<br>\n", VERSION, "$Revision: 1.66 $");
+       printf(" This is ApacheBench, Version %s <i>&lt;%s&gt;</i> apache-1.3<br>\n", VERSION, "$Revision: 1.67 $");
         printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
         printf(" Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/<br>\n");
         printf("</p>\n<p>\n");
@@ -1575,9 +1576,9 @@ int main(int argc, char **argv)
             strcpy(content_type, optarg);
             break;
         case 'C':
-           strncat(cookie, "Cookie: ", sizeof(cookie));
-           strncat(cookie, optarg, sizeof(cookie));
-           strncat(cookie, "\r\n", sizeof(cookie));
+           strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1);
+           strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1);
+           strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1);
             break;
         case 'A':
             /*
@@ -1589,9 +1590,9 @@ int main(int argc, char **argv)
             l = ap_base64encode(tmp, optarg, strlen(optarg));
             tmp[l] = '\0';
  
-           strncat(auth, "Authorization: Basic ", sizeof(auth));
-           strncat(auth, tmp, sizeof(auth));
-           strncat(auth, "\r\n", sizeof(auth));
+           strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+           strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+           strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
             break;
         case 'P':
             /*
@@ -1602,9 +1603,9 @@ int main(int argc, char **argv)
             l = ap_base64encode(tmp, optarg, strlen(optarg));
             tmp[l] = '\0';
  
-           strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth));
-           strncat(auth, tmp, sizeof(auth));
-           strncat(auth, "\r\n", sizeof(auth));
+           strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+           strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+           strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
             break;
         case 'X':
             {
@@ -1622,8 +1623,8 @@ int main(int argc, char **argv)
             }
             break;
         case 'H':
-           strncat(hdrs, optarg, sizeof(hdrs));
-           strncat(hdrs, "\r\n", sizeof(hdrs));
+           strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1);
+           strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1);
             break;
         case 'V':
             copyright();
author	Jim Jagielski <jim@apache.org>
	Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)
committer	Jim Jagielski <jim@apache.org>
	Sat, 28 Sep 2002 23:40:20 +0000 (23:40 +0000)
src/CHANGES		patch \| blob \| blame \| history
src/support/ab.c		patch \| blob \| blame \| history