From: Jim Jagielski Date: Sat, 28 Sep 2002 23:40:20 +0000 (+0000) Subject: ab.c was using strncat incorrectly as well as not checking for possible X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7164e07b7302f9b85e0da3f81f364f2d949c94f;p=thirdparty%2Fapache%2Fhttpd.git ab.c was using strncat incorrectly as well as not checking for possible buffer overflow. PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@97007 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 85277e9c334..c830670f0ab 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,8 @@ Changes with Apache 1.3.27 + *) Fix some possible overflows in ab.c noted by David Wagner. + [Jim Jagielski] + *) Included a patch submitted by Sander van Zoest (#9181) and written by Michael Radwin whichs is essentially a work around for the adding headers to error responses. As apache does not diff --git a/src/support/ab.c b/src/support/ab.c index 53af498ccba..76c4ea2a676 100644 --- a/src/support/ab.c +++ b/src/support/ab.c @@ -1079,11 +1079,12 @@ static void read_connection(struct connection * c) * this is first time, extract some interesting info */ char *p, *q; + int qlen; p = strstr(c->cbuff, "Server:"); - q = servername; + q = servername; qlen = sizeof(servername); if (p) { p += 8; - while (*p > 32) + while (*p > 32 && qlen-- > 1) *q++ = *p++; } *q = 0; @@ -1351,14 +1352,14 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.66 $> apache-1.3"); + printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.67 $> apache-1.3"); printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("

\n"); - printf(" This is ApacheBench, Version %s <%s> apache-1.3
\n", VERSION, "$Revision: 1.66 $"); + printf(" This is ApacheBench, Version %s <%s> apache-1.3
\n", VERSION, "$Revision: 1.67 $"); printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
\n"); printf(" Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/
\n"); printf("

\n

\n"); @@ -1575,9 +1576,9 @@ int main(int argc, char **argv) strcpy(content_type, optarg); break; case 'C': - strncat(cookie, "Cookie: ", sizeof(cookie)); - strncat(cookie, optarg, sizeof(cookie)); - strncat(cookie, "\r\n", sizeof(cookie)); + strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1); + strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1); break; case 'A': /* @@ -1589,9 +1590,9 @@ int main(int argc, char **argv) l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'P': /* @@ -1602,9 +1603,9 @@ int main(int argc, char **argv) l = ap_base64encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; - strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)); - strncat(auth, tmp, sizeof(auth)); - strncat(auth, "\r\n", sizeof(auth)); + strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1); + strncat(auth, tmp, sizeof(auth)-strlen(auth)-1); + strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1); break; case 'X': { @@ -1622,8 +1623,8 @@ int main(int argc, char **argv) } break; case 'H': - strncat(hdrs, optarg, sizeof(hdrs)); - strncat(hdrs, "\r\n", sizeof(hdrs)); + strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1); + strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1); break; case 'V': copyright();