apache
BufferOverflow when HAS_APACHE_REGEX_LIB.
feature HAS_APACHE_REGEX_LIB makes a copy using the strncpy function. The size of characters copied is sizeof(newuri)-1, but the \0 character has been assigned to newuri[sizeof(newuri-1)] instead.
Bug fixed by commit dbafef17dd1
| Type | BufferOverflow |
| Config | "HAS_APACHE_REGEX_LIB" (1st degree) |
| Fix-in | code |
| Location | modules/standard/ |
#include <stdlib.h>
#include <string.h>
#define MAX_STRING_LEN 20
void apply_rewrite_rule()
{
char newuri[MAX_STRING_LEN];
#ifdef HAS_APACHE_REGEX_LIB
strncpy(newuri, "pregsub()", sizeof(newuri)-1);
newuri[sizeof(newuri-1)] = '\0';
#endif
// more code making of 'newuri'
}
int main(void)
{
apply_rewrite_rule();
return 0;
}
. call modules/standard/mod_rewrite.c:1376:apply_rewrite_rule() . // if HAS_APACHE_REGEX_LIB is enabled . ERROR 1547: newuri[sizeof(newuri-1)] = '\0';