summaryrefslogtreecommitdiff
path: root/support
diff options
context:
space:
mode:
authorLuca Toscano <elukey@apache.org>2017-09-11 10:28:09 +0000
committerLuca Toscano <elukey@apache.org>2017-09-11 10:28:09 +0000
commit417cc6a6903afe2a5ecea519c28cc920584e4286 (patch)
tree6f1f25872a56e419936bc1bad57aaac5e028e112 /support
parent8a8c24ac894d5109accb9c0c0da889d9d419ab56 (diff)
downloadhttpd-417cc6a6903afe2a5ecea519c28cc920584e4286.tar.gz
htdigest: prevent buffer overflow when strings in lines are too long.
Reported by: Hanno Böck PR: 61511 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1808008 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'support')
-rw-r--r--support/htdigest.c24
1 files changed, 17 insertions, 7 deletions
diff --git a/support/htdigest.c b/support/htdigest.c
index 018c0ea200..43f705442e 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -59,6 +59,7 @@
#endif /* APR_CHARSET_EBCDIC */
#define MAX_STRING_LEN 256
+#define MAX_LINE_LEN 768
apr_file_t *tfp = NULL;
apr_file_t *errfile;
@@ -75,12 +76,16 @@ static void cleanup_tempfile_and_exit(int rc)
exit(rc);
}
-static void getword(char *word, char *line, char stop)
+static int getword(char *word, char *line, char stop)
{
int x = 0, y;
- for (x = 0; ((line[x]) && (line[x] != stop)); x++)
+ for (x = 0; ((line[x]) && (line[x] != stop)); x++) {
+ if (x == (MAX_STRING_LEN - 1)) {
+ return 1;
+ }
word[x] = line[x];
+ }
word[x] = '\0';
if (line[x])
@@ -88,6 +93,8 @@ static void getword(char *word, char *line, char stop)
y = 0;
while ((line[y++] = line[x++]));
+
+ return 0;
}
static int get_line(char *s, int n, apr_file_t *f)
@@ -127,7 +134,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
char *pw;
apr_md5_ctx_t context;
unsigned char digest[16];
- char string[3 * MAX_STRING_LEN]; /* this includes room for 2 * ':' + '\0' */
+ char string[MAX_LINE_LEN]; /* this includes room for 2 * ':' + '\0' */
char pwin[MAX_STRING_LEN];
char pwv[MAX_STRING_LEN];
unsigned int i;
@@ -191,8 +198,8 @@ int main(int argc, const char * const argv[])
char *dirname;
char user[MAX_STRING_LEN];
char realm[MAX_STRING_LEN];
- char line[3 * MAX_STRING_LEN];
- char l[3 * MAX_STRING_LEN];
+ char line[MAX_LINE_LEN];
+ char l[MAX_LINE_LEN];
char w[MAX_STRING_LEN];
char x[MAX_STRING_LEN];
int found;
@@ -261,8 +268,11 @@ int main(int argc, const char * const argv[])
continue;
}
strcpy(l, line);
- getword(w, l, ':');
- getword(x, l, ':');
+ if (getword(w, l, ':') || getword(x, l, ':')) {
+ apr_file_printf(errfile, "The following line contains a string longer than the "
+ "allowed maximum size (%i): %s\n", MAX_STRING_LEN - 1, line);
+ cleanup_tempfile_and_exit(1);
+ }
if (strcmp(user, w) || strcmp(realm, x)) {
putline(tfp, line);
continue;