From 0b3798c99ea8eb41a8146248a4247c2dcc5e263b Mon Sep 17 00:00:00 2001 From: "Mark J. Cox" Date: Thu, 27 Jul 2006 17:09:03 +0000 Subject: [PATCH] SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. Reviewed by: trawick, lars, jorton, wrowe, benl git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@426146 13f79535-47bb-0310-9956-ffa450edef68 --- src/CHANGES | 6 ++++++ src/modules/standard/mod_rewrite.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/CHANGES b/src/CHANGES index f8e48febb50..5f2090a8346 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,11 @@ Changes with Apache 1.3.37 + *) SECURITY: CVE-2006-3747 (cve.mitre.org) + mod_rewrite: Fix an off-by-one security problem in the ldap scheme + handling. For some RewriteRules this could lead to a pointer being + written out of bounds. Reported by Mark Dowd of McAfee. + [Mark Cox] + Changes with Apache 1.3.36 *) Reverted SVN rev #396294 due to unwanted regression. diff --git a/src/modules/standard/mod_rewrite.c b/src/modules/standard/mod_rewrite.c index fafc8a31657..35db954fb6d 100644 --- a/src/modules/standard/mod_rewrite.c +++ b/src/modules/standard/mod_rewrite.c @@ -2736,7 +2736,7 @@ static char *escape_absolute_uri(ap_pool *p, char *uri, unsigned scheme) int c = 0; token[0] = cp = ap_pstrdup(p, cp); - while (*cp && c < 5) { + while (*cp && c < 4) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; -- 2.47.2