[BugDB] Buffer overflow in mod_ssl (patch enclosed) (PR#724)

Full_Name: Frank Denis - Jedi/Sector One
Version: 2.8.8 (OpenBSD-current)
OS: OpenBSD
Submission from: (NULL) (212.198.0.93)


There's an easy to exploit (through .htaccess files) buffer overflow in mod_ssl.
The EAPI's rewrite parser hook skips spaces without checking whether the pointer
went past the end of the buffer.

Fix follows :

--- src/modules/ssl/ssl_engine_compat.c.orig Thu Mar 29 12:21:24 2001
+++ src/modules/ssl/ssl_engine_compat.c Sun Jun 23 09:39:54 2002
@@ -300,16 +300,16 @@
* Skip comment lines
*/
cp = (char *)oline;
- while ((*cp == ' ' || *cp == '\t' || *cp == '\n') && (*cp != NUL))
+ for (i = 0; (*cp == ' ' || *cp == '\t' || *cp == '\n') && (*cp != NUL) &&
++
i < sizeof(caCmd); )
cp++;
- if (*cp == '#' || *cp == NUL)
+ if (*cp == '#' || *cp == NUL || i >= sizeof(caCmd))
return NULL;

/*
* Extract directive name
*/
cp = (char *)oline;
- for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
+ for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < sizeof(caCmd) -
1
; )
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;

Cut/pasting patches in HTML forms often give bad results, so for convenience you
can also fetch the trivial patch from here :

http://www.42-networks.com/ssl_parse_overflow.patch

Best regards,

-Jedi.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org