ben 98/05/09 08:00:50
Modified: src/os/win32 util_win32.c
Log:
Check for buffer overflows.
Revision Changes Path
1.16 +20 -12 apache-1.3/src/os/win32/util_win32.c
Index: util_win32.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/os/win32/util_win32.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- util_win32.c 1998/05/02 23:25:48 1.15
+++ util_win32.c 1998/05/09 15:00:50 1.16
@@ -1,11 +1,10 @@
#include <windows.h>
-#include <assert.h>
#include <sys/stat.h>
#include <stdarg.h>
#include "httpd.h"
-static void sub_canonical_filename(char *szCanon, const char *szFile)
+static void sub_canonical_filename(char *szCanon, unsigned nCanon, const char *szFile)
{
char buf[HUGE_STRING_LEN];
int n;
@@ -14,8 +13,8 @@
HANDLE h;
n = GetFullPathName(szFile, sizeof buf, buf, &szFilePart);
- assert(n);
- assert(n < sizeof buf);
+ ap_assert(n);
+ ap_assert(n < sizeof buf);
/* If we have \\machine\share, convert to \\machine\share\ */
if (buf[0] == '\\' && buf[1] == '\\') {
@@ -34,16 +33,17 @@
}
if (szFilePart < buf+3) {
+ ap_assert(strlen(buf) < nCanon);
strcpy(szCanon, buf);
if(szCanon[0] != '\\') { /* a \ at the start means it is UNC, otherwise it is x: */
- assert(isalpha(szCanon[0]));
- assert(szCanon[1] == ':');
+ ap_assert(isalpha(szCanon[0]));
+ ap_assert(szCanon[1] == ':');
szCanon[2] = '/';
}
else {
char *s;
- assert(szCanon[1] == '\\');
+ ap_assert(szCanon[1] == '\\');
for(s=szCanon ; *s ; ++s)
if(*s == '\\')
*s='/';
@@ -52,22 +52,27 @@
}
if (szFilePart != buf+3) {
char b2[_MAX_PATH];
- assert(szFilePart > buf+3);
+ ap_assert(szFilePart > buf+3);
szFilePart[-1]='\0';
- sub_canonical_filename(b2, buf);
+ sub_canonical_filename(b2, sizeof b2, buf);
+ ap_assert(strlen(b2)+1 < nCanon);
strcpy(szCanon, b2);
strcat(szCanon, "/");
}
else {
+ ap_assert(strlen(buf) < nCanon);
strcpy(szCanon, buf);
szCanon[2] = '/';
szCanon[3] = '\0';
}
- if (h == INVALID_HANDLE_VALUE)
+ if (h == INVALID_HANDLE_VALUE) {
+ ap_assert(strlen(szCanon)+strlen(szFilePart) < nCanon);
strcat(szCanon, szFilePart);
+ }
else {
+ ap_assert(strlen(szCanon)+strlen(d.cFileName) < nCanon);
strlwr(d.cFileName);
strcat(szCanon, d.cFileName);
}
@@ -83,16 +88,19 @@
char b2[HUGE_STRING_LEN];
char *s;
+ ap_assert(strlen(szFile) < sizeof b2);
strcpy(b2,szFile);
for(s=b2 ; *s ; ++s)
if(*s == '/')
*s='\\';
- sub_canonical_filename(buf, b2);
+ sub_canonical_filename(buf, sizeof buf, b2);
buf[0]=tolower(buf[0]);
- if (*szFile && szFile[strlen(szFile)-1] == '/' && buf[strlen(buf)-1] != '/')
+ if (*szFile && szFile[strlen(szFile)-1] == '/' && buf[strlen(buf)-1] != '/') {
+ ap_assert(strlen(buf)+1 < sizeof buf);
strcat(buf, "/");
+ }
return ap_pstrdup(pPool, buf);
}
Modified: src/os/win32 util_win32.c
Log:
Check for buffer overflows.
Revision Changes Path
1.16 +20 -12 apache-1.3/src/os/win32/util_win32.c
Index: util_win32.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/os/win32/util_win32.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- util_win32.c 1998/05/02 23:25:48 1.15
+++ util_win32.c 1998/05/09 15:00:50 1.16
@@ -1,11 +1,10 @@
#include <windows.h>
-#include <assert.h>
#include <sys/stat.h>
#include <stdarg.h>
#include "httpd.h"
-static void sub_canonical_filename(char *szCanon, const char *szFile)
+static void sub_canonical_filename(char *szCanon, unsigned nCanon, const char *szFile)
{
char buf[HUGE_STRING_LEN];
int n;
@@ -14,8 +13,8 @@
HANDLE h;
n = GetFullPathName(szFile, sizeof buf, buf, &szFilePart);
- assert(n);
- assert(n < sizeof buf);
+ ap_assert(n);
+ ap_assert(n < sizeof buf);
/* If we have \\machine\share, convert to \\machine\share\ */
if (buf[0] == '\\' && buf[1] == '\\') {
@@ -34,16 +33,17 @@
}
if (szFilePart < buf+3) {
+ ap_assert(strlen(buf) < nCanon);
strcpy(szCanon, buf);
if(szCanon[0] != '\\') { /* a \ at the start means it is UNC, otherwise it is x: */
- assert(isalpha(szCanon[0]));
- assert(szCanon[1] == ':');
+ ap_assert(isalpha(szCanon[0]));
+ ap_assert(szCanon[1] == ':');
szCanon[2] = '/';
}
else {
char *s;
- assert(szCanon[1] == '\\');
+ ap_assert(szCanon[1] == '\\');
for(s=szCanon ; *s ; ++s)
if(*s == '\\')
*s='/';
@@ -52,22 +52,27 @@
}
if (szFilePart != buf+3) {
char b2[_MAX_PATH];
- assert(szFilePart > buf+3);
+ ap_assert(szFilePart > buf+3);
szFilePart[-1]='\0';
- sub_canonical_filename(b2, buf);
+ sub_canonical_filename(b2, sizeof b2, buf);
+ ap_assert(strlen(b2)+1 < nCanon);
strcpy(szCanon, b2);
strcat(szCanon, "/");
}
else {
+ ap_assert(strlen(buf) < nCanon);
strcpy(szCanon, buf);
szCanon[2] = '/';
szCanon[3] = '\0';
}
- if (h == INVALID_HANDLE_VALUE)
+ if (h == INVALID_HANDLE_VALUE) {
+ ap_assert(strlen(szCanon)+strlen(szFilePart) < nCanon);
strcat(szCanon, szFilePart);
+ }
else {
+ ap_assert(strlen(szCanon)+strlen(d.cFileName) < nCanon);
strlwr(d.cFileName);
strcat(szCanon, d.cFileName);
}
@@ -83,16 +88,19 @@
char b2[HUGE_STRING_LEN];
char *s;
+ ap_assert(strlen(szFile) < sizeof b2);
strcpy(b2,szFile);
for(s=b2 ; *s ; ++s)
if(*s == '/')
*s='\\';
- sub_canonical_filename(buf, b2);
+ sub_canonical_filename(buf, sizeof buf, b2);
buf[0]=tolower(buf[0]);
- if (*szFile && szFile[strlen(szFile)-1] == '/' && buf[strlen(buf)-1] != '/')
+ if (*szFile && szFile[strlen(szFile)-1] == '/' && buf[strlen(buf)-1] != '/') {
+ ap_assert(strlen(buf)+1 < sizeof buf);
strcat(buf, "/");
+ }
return ap_pstrdup(pPool, buf);
}