oss-sec mailing list archives

Apache mod_dav off-by-one

From: Evgeny Legerov <admin () vulndisco cc>
Date: Tue, 9 Aug 2022 14:50:34 +0300

Hi,

How it happens that Apache process_if_header off-by-one, which has beenmentioned in


The Art of Software Security Assessment (page 420), still remains unpatched?

What am I missing?


The code from Apache 2.4.54:

static dav_error * dav_process_if_header(request_rec *r, dav_if_header**p_ih)

{
...

     while (*list) {
                /* List is the entire production (in a uri scope) */

                switch (*list) {
                ...
                case 'N':
                    if (list[1] == 'o' && list[2] == 't') {
                        if (condition != DAV_IF_COND_NORMAL) {
                            return dav_new_error(r->pool, HTTP_BAD_REQUEST,
DAV_ERR_IF_MULTIPLE_NOT, 0,
                                                 "Invalid \"If:\" header: "

"Multiple \"not\"entries "

                                                 "for the same state.");
                        }
                        condition = DAV_IF_COND_NOT;
                    }
                    list += 2;
                    break;

It is not only out of bounds read, dav_fetch_next_token() will writeNULL byte on next iteration.



regards,

-e

Current thread:

Apache mod_dav off-by-one Evgeny Legerov (Aug 09)
- Re: Apache mod_dav off-by-one John Helmert III (Aug 10)