You'll all be pleased to hear that Apache doesn't suffer from this problem
(getword allocates an appropriate amount of space from the pool).
Cheers,
Ben.
>
> Forwarded message:
> From erlendbm@logina.idb.hist.no Sat Sep 30 15:18:30 1995
> Message-Id: <m0szAED-00020XC@logina.idb.hist.no>
> From: Erlend Midttun <Erlend.Midttun@logina.idb.hist.no>
> Subject: Bufferoverflow
> To: apache-bugs@apache.org
> Date: Sat, 30 Sep 1995 23:17:51 +0100 (MET)
> X-Mailer: ELM [version 2.4 PL24]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 8bit
> Content-Length: 2809
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hello,
>
> I picked this from comp.security.unix concerning the NCSA httpd.
> It appares that the very same code is present in Apache 0.8.14.
> If you have made improvements that eliminates this "feature" or that
> it turns out not to be a concern, please forgive me for wasting your time.
>
> ##########################################################################
>
> - From khsu@wam.umd.edu Wed Sep 27 12:32:54 1995
> Path: astfgl.idb.hist.no!nntp-trd.UNINETT.no!sunic!sunic.sunet.se!news.uni-c.dk!dkuug!icl.icl.dk!sw0198!news.icl.fi!news.eunet.fi!news.funet.fi!news.kolumbus.fi!news.sprintlink.net!howland.reston.ans.net!nntp.crl.com!decwrl!purdue!haven.umd.edu!cville-srv.wam.umd.edu!khsu
> From: khsu@wam.umd.edu (Kevin Hsu)
> Newsgroups: comp.security.unix
> Subject: Hmmm... I think I may have found something...
> Date: 25 Sep 1995 17:19:21 GMT
> Organization: University of Maryland, College Park
> Lines: 58
> Message-ID: <446oap$3r0@cville-srv.wam.umd.edu>
> NNTP-Posting-Host: rac10.wam.umd.edu
>
>
> Security gurus:
>
> I was looking through NCSA HTTPD's C source and found something fishy in
> /cgi-src/query.c and /cgi-src/util.c:
>
> ###QUERY.C###
>
> typedef struct {
> char name[128];
> char val[128];
> } entry;
>
> ...
>
> for(x=0;cl[0] != '\0';x++) {
> m=x;
> getword(entries[x].val,cl,'&');
> plustospace(entries[x].val);
> unescape_url(entries[x].val);
> getword(entries[x].name,entries[x].val,'=');
> }
> ...
>
> ###UTIL.C###
>
> void getword(char *word, char *line, char stop) {
> int x = 0,y;
>
> for(x=0;((line[x]) && (line[x] != stop));x++)
> word[x] = line[x];
>
> word[x] = '\0';
> if(line[x]) ++x;
> y=0;
>
> while(line[y++] = line[x++]);
> }
>
> ...
>
>
>
>
> ###########################################################
>
> Is it me, or does this code suffer the same problem that the finger daemon
> suffered years ago? Can't someone overwrite the program's text and stack with
> their own? Or am I just naive?
>
> Please respond...I'd like to know if I'm just rehashing a well-known hole
> or missing something obvious.
>
>
> Kevin Hsu
> Software Engineering Manager
> Proxima, Inc.
>
>
> ###
>
> Erlend..
> - --
> Erlend Midttun erlendbm@colargol.stud.idb.hist.no
> IRC: Golle
> http://colargol.idb.hist.no/~erlendbm/ A Linux User
> inews: signature too long. Article not posted.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2i
>
> iQEVAgUBMG1DeOiWtdu6znSNAQH3swgApDmSXmEWCHETGerIzuDu+dSYNZ+A0pKg
> ipYTmNhIWRDAmkqIkPgUz0nvZH2RKb+n9hMOmbroUDshxgStarF3rg6Ub22HDg36
> l6A0Y3y/exRTCor6asn386BMksDPhUhfOj5gkPMV9jWA6wR7x4Maw7TUtGbHZgSZ
> BHjxcFd46bu8pBEEM1GZEW8Th22GQs1IuYgR/KGFCUUdzxosv8TV3TALx4IrfJoE
> AYssALHwTwEvXIlbVyFNNuPSOR8Dh1j1wO/qoNmXkK5nkHlsknCJrd5uB0Pdt1EF
> PmBPbC2xNPBYF2Qpl7wJ0lOIh3ja3da3+K22/QOfOlCrQTBEfEovfg==
> =jsSa
> -----END PGP SIGNATURE-----
>
--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd,
London, England.