diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2003-10-29 10:11:01 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2003-10-29 10:11:01 +0000 |
| commit | 06381ac8769c4ba1fcf2dfadd4ce6e389f5ce369 (patch) | |
| tree | 5e31fdf5d1a2c436796962a1235d2ca56c80f645 | |
| parent | e30b38b859b7a7937077e8149433bbfbbfbcf2d8 (diff) | |
security fix from upcoming apache 1.3.29:
SECURITY: CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
[André Malo]
ok markus@
| -rw-r--r-- | usr.sbin/httpd/src/include/httpd.h | 3 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_alias.c | 8 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_rewrite.c | 13 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_rewrite.h | 4 |
4 files changed, 14 insertions, 14 deletions
diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h index 3908ef0fa15..2cbd208dc49 100644 --- a/usr.sbin/httpd/src/include/httpd.h +++ b/usr.sbin/httpd/src/include/httpd.h @@ -291,6 +291,9 @@ extern "C" { /* The size of the server's internal read-write buffers */ #define IOBUFSIZE 8192 +/* The max number of regex captures that can be expanded by ap_pregsub */ +#define AP_MAX_REG_MATCH 10 + /* Number of servers to spawn off by default --- also, if fewer than * this free when the caretaker checks, it will spawn more. */ diff --git a/usr.sbin/httpd/src/modules/standard/mod_alias.c b/usr.sbin/httpd/src/modules/standard/mod_alias.c index 8db25057bc5..118a19cb607 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_alias.c +++ b/usr.sbin/httpd/src/modules/standard/mod_alias.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mod_alias.c,v 1.10 2003/08/21 13:11:36 henning Exp $ */ +/* $OpenBSD: mod_alias.c,v 1.11 2003/10/29 10:11:00 henning Exp $ */ /* ==================================================================== * The Apache Software License, Version 1.1 @@ -304,7 +304,7 @@ static int alias_matches(const char *uri, const char *alias_fakename) static char *try_alias_list(request_rec *r, array_header *aliases, int doesc, int *status) { alias_entry *entries = (alias_entry *) aliases->elts; - regmatch_t regm[10]; + regmatch_t regm[AP_MAX_REG_MATCH]; char *found = NULL; int i; @@ -313,10 +313,10 @@ static char *try_alias_list(request_rec *r, array_header *aliases, int doesc, in int l; if (p->regexp) { - if (!ap_regexec(p->regexp, r->uri, p->regexp->re_nsub + 1, regm, 0)) { + if (!ap_regexec(p->regexp, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if (p->real) { found = ap_pregsub(r->pool, p->real, r->uri, - p->regexp->re_nsub + 1, regm); + AP_MAX_REG_MATCH, regm); if (found && doesc) { found = ap_escape_uri(r->pool, found); } diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c index 4885d44f3a6..5e06b0ff671 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c +++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mod_rewrite.c,v 1.19 2003/08/21 13:11:37 henning Exp $ */ +/* $OpenBSD: mod_rewrite.c,v 1.20 2003/10/29 10:11:00 henning Exp $ */ /* ==================================================================== * The Apache Software License, Version 1.1 @@ -1845,7 +1845,7 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p, const char *vary; char newuri[MAX_STRING_LEN]; regex_t *regexp; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; backrefinfo *briRR = NULL; backrefinfo *briRC = NULL; int prefixstrip; @@ -1902,7 +1902,7 @@ static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p, rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'", perdir, p->pattern, uri); } - rc = (ap_regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0); + rc = (ap_regexec(regexp, uri, AP_MAX_REG_MATCH, regmatch, 0) == 0); if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { return 0; @@ -2190,7 +2190,7 @@ static int apply_rewrite_cond(request_rec *r, rewritecond_entry *p, char input[MAX_STRING_LEN]; struct stat sb; request_rec *rsub; - regmatch_t regmatch[MAX_NMATCH]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; int rc; /* @@ -2294,8 +2294,7 @@ static int apply_rewrite_cond(request_rec *r, rewritecond_entry *p, } else { /* it is really a regexp pattern, so apply it */ - rc = (ap_regexec(p->regexp, input, - p->regexp->re_nsub+1, regmatch,0) == 0); + rc = (ap_regexec(p->regexp, input, AP_MAX_REG_MATCH, regmatch,0) == 0); /* if it isn't a negated pattern and really matched we update the passed-through regex subst info structure */ @@ -2453,7 +2452,7 @@ static void do_expand(request_rec *r, char *input, char *buffer, int nbuf, bri = briRC; } /* see ap_pregsub() in src/main/util.c */ - if (bri && n <= bri->nsub && + if (bri && n < AP_MAX_REG_MATCH && bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) { span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so; if (span > space) { diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h index f2244b9478a..9cf3907236f 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h +++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h @@ -253,8 +253,6 @@ #define MAX_ENV_FLAGS 15 -#define MAX_NMATCH 10 - /* default maximum number of internal redirects */ #define REWRITE_REDIRECT_LIMIT 10 @@ -368,7 +366,7 @@ typedef struct cache { typedef struct backrefinfo { char *source; int nsub; - regmatch_t regmatch[10]; + regmatch_t regmatch[AP_MAX_REG_MATCH]; } backrefinfo; |