From: Rainer Jung <rjung@apache.org>
Date: Wed, 5 Jun 2013 14:47:30 +0000 (+0000)
Subject: htdigest: Fix buffer overflow when reading digest
X-Git-Tag: 2.0.65~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f8af67448afacf8e443e31ce6287938357ff995;p=thirdparty%2Fapache%2Fhttpd.git

htdigest: Fix buffer overflow when reading digest
password file with very long lines.

PR 54893.

Backport of r1475878 from trunk resp.
r1476089 from 2.4.x resp. r1476242
from 2.2.x.

Proposed/Backported by: rjung
Reviewed by: minfrin, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1489893 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 610e9d93290..00f14fdadd4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,9 @@ Changes with Apache 2.0.65
      is enabled, could allow local users to gain privileges via a .htaccess
      file. [Stefan Fritsch, Greg Ames]
 
+  *) htdigest: Fix buffer overflow when reading digest password file
+     with very long lines. PR 54893. [Rainer Jung]
+
   *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
      OpenSSL 0.9.7 flag which uses the server's cipher order rather
      than the client's.  PR 28665.
diff --git a/STATUS b/STATUS
index d562ec6e6c6..5f0d4b92342 100644
--- a/STATUS
+++ b/STATUS
@@ -188,15 +188,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * htdigest: Fix buffer overflow when reading digest
-    password file with very long lines. PR 54893.
-    trunk patch: https://svn.apache.org/r1475878
-    2.4.x patch: https://svn.apache.org/11476089
-    2.2.x patch: https://svn.apache.org/r1476242
-    2.0.x patch: http://people.apache.org/~rjung/patches/htdigest-buffer_overflow_2_0.patch
-    +1: rjung, minfrin, wrowe
-    -1: 
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
diff --git a/support/htdigest.c b/support/htdigest.c
index 55699ad1669..60f6611d61f 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -96,12 +96,15 @@ static int get_line(char *s, int n, apr_file_t *f)
     char ch;
     apr_status_t rv = APR_EINVAL;
 
-    while (i < (n - 1) && 
+    /* we need 2 remaining bytes in buffer */
+    while (i < (n - 2) &&
            ((rv = apr_file_getc(&ch, f)) == APR_SUCCESS) && (ch != '\n')) {
         s[i++] = ch;
     }
+    /* First remaining byte potentially used here */
     if (ch == '\n')
         s[i++] = ch;
+    /* Second remaining byte used here */
     s[i] = '\0';
 
     if (rv != APR_SUCCESS)