oss-sec mailing list archives
Apache mod_dav off-by-one
From: Evgeny Legerov <admin () vulndisco cc>
Date: Tue, 9 Aug 2022 14:50:34 +0300
Hi,How it happens that Apache process_if_header off-by-one, which has been mentioned in
The Art of Software Security Assessment (page 420), still remains unpatched? What am I missing? The code from Apache 2.4.54:static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
{ ... while (*list) { /* List is the entire production (in a uri scope) */ switch (*list) { ... case 'N': if (list[1] == 'o' && list[2] == 't') { if (condition != DAV_IF_COND_NORMAL) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_MULTIPLE_NOT, 0, "Invalid \"If:\" header: ""Multiple \"not\" entries "
"for the same state."); } condition = DAV_IF_COND_NOT; } list += 2; break;It is not only out of bounds read, dav_fetch_next_token() will write NULL byte on next iteration.
regards, -e
Current thread:
- Apache mod_dav off-by-one Evgeny Legerov (Aug 09)
- Re: Apache mod_dav off-by-one John Helmert III (Aug 10)