Re: Fixing the NCSA HTTPD 1.3

[ccshag () cclabs missouri edu (Paul 'Shag' Walmsley)]

On Tue, 14 Feb 1995, Thomas Lopatic wrote:

> Hi there,
>
> in addition to the posted patches, which fix the problem documented, I'd like
> to suggest the following measures to make sure that buffer overflows don't
> happen in other parts of the daemon either. Please comment.
>
> 1. define HUGE_STRING_LEN and MAX_STRING_LEN to a value of 4000 each
>    (file httpd.h)
>
> 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN
>    (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead
>     of getline(l,HUGE_STRING_LEN,in,timeout))
>
> This should at first sight pretty much eliminate the problem. It isn't at all
> good style, but it should do until an official patch is ready. Does anyone see
> any problems with this?
>
> Greetings,
> -Thomas

I have taken Thomas' fixes (with one slight change, see below) and added
them to Christopher Davis' fix and built a patch for ease of installation. 

To use this, save the text after the "cut here" line as "httpd_1.3.patch",
download the source for httpd 1.3 from
ftp.ncsa.uiuc.edu:/Web/httpd/Unix/ncsa_httpd/httpd_1.3/httpd_source.tar.Z,
uncompress and untar it, and then cd into the httpd_1.3/src directory and
type "patch < ../../httpd_1.3.patch". 

The difference between the suggestions above and the patch below is that 
I set HUGE_STRING_LEN and MAX_STRING_LEN to 4096 (rather than 4000).  If 
this presents any additional problems, please tell me.

There are no warranties associated with this patch.  Install at your own 
risk.  Have fun.


- Paul "Shag" Walmsley <ccshag () cclabs missouri edu>
  "I'll drink a toast to bold evolution any day!"


----[ cut here ]----------------------------------------
diff -c -r httpd_1.3/src/http_request.c httpd_1.3a/src/http_request.c
*** httpd_1.3/src/http_request.c        Sat May  7 21:47:09 1994
--- httpd_1.3a/src/http_request.c       Wed Feb 15 23:28:35 1995
***************
*** 2,8 ****
   * http_request.c: functions to get and process requests
   * 
   * Rob McCool 3/21/93
!  * 
   */
  
  
--- 2,8 ----
   * http_request.c: functions to get and process requests
   * 
   * Rob McCool 3/21/93
!  *
   */
  
  
***************
*** 101,107 ****
    handle_request:
  #endif
      l[0] = '\0';
!     if(getline(l,HUGE_STRING_LEN,in,timeout))
          return;
      if(!l[0]) 
          return;
--- 101,107 ----
    handle_request:
  #endif
      l[0] = '\0';
!     if(getline(l,HUGE_STRING_LEN/4,in,timeout)) /* security patch */
          return;
      if(!l[0]) 
          return;
diff -c -r httpd_1.3/src/httpd.h httpd_1.3a/src/httpd.h
*** httpd_1.3/src/httpd.h       Sat May  7 21:47:12 1994
--- httpd_1.3a/src/httpd.h      Wed Feb 15 23:30:35 1995
***************
*** 251,258 ****
  #define SHELL_PATH "/bin/sh"
  
  /* The default string lengths */
! #define MAX_STRING_LEN 256
! #define HUGE_STRING_LEN 8192
  
  /* The timeout for waiting for messages */
  #define DEFAULT_TIMEOUT 1200
--- 251,258 ----
  #define SHELL_PATH "/bin/sh"
  
  /* The default string lengths */
! #define MAX_STRING_LEN 4096   /* security patch */
! #define HUGE_STRING_LEN 4096  /* security patch */
  
  /* The timeout for waiting for messages */
  #define DEFAULT_TIMEOUT 1200
diff -c -r httpd_1.3/src/util.c httpd_1.3a/src/util.c
*** httpd_1.3/src/util.c        Sat May  7 21:47:15 1994
--- httpd_1.3a/src/util.c       Wed Feb 15 23:32:00 1995
***************
*** 158,164 ****
  
  void strsubfirst(int start,char *dest, char *src)
  {
!     char tmp[MAX_STRING_LEN];
  
      strcpy(tmp,&dest[start]);
      strcpy(dest,src);
--- 158,164 ----
  
  void strsubfirst(int start,char *dest, char *src)
  {
!     char tmp[MAX_STRING_LEN+HUGE_STRING_LEN]; /* security patch */
  
      strcpy(tmp,&dest[start]);
      strcpy(dest,src);