Bugtraq mailing list archives
Fixing the NCSA HTTPD 1.3
From: lopatic () dbs informatik uni-muenchen de (Thomas Lopatic)
Date: Tue, 14 Feb 1995 19:54:17 +0100 (MET)
Hi there, in addition to the posted patches, which fix the problem documented, I'd like to suggest the following measures to make sure that buffer overflows don't happen in other parts of the daemon either. Please comment. 1. define HUGE_STRING_LEN and MAX_STRING_LEN to a value of 4000 each (file httpd.h) 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead of getline(l,HUGE_STRING_LEN,in,timeout)) This should at first sight pretty much eliminate the problem. It isn't at all good style, but it should do until an official patch is ready. Does anyone see any problems with this? Greetings, -Thomas -- Thomas Lopatic lopatic () informatik uni-muenchen de
Current thread:
- Vulnerability in NCSA HTTPD 1.3 Thomas Lopatic (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Robert M. Haas (Feb 14)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 16)
- Re: Vulnerability in NCSA HTTPD 1.3 Christopher Davis (Feb 14)
- Fixing the NCSA HTTPD 1.3 Thomas Lopatic (Feb 14)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Rens Troost (Feb 15)
- Re: Fixing the NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 15)
- For NCSA Http_1.05a Everett F Batey WA6CRE (Feb 15)
- Sendmail 8.6.9 Nathan Lawson (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 14)
- Re: Sendmail 8.6.9 Tom Fitzgerald (Feb 14)
- Re: Sendmail 8.6.9 Perry E. Metzger (Feb 15)
- Re: Vulnerability in NCSA HTTPD 1.3 Paul 'Shag' Walmsley (Feb 13)