Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: thttpd 2.04 stack overflow

From: jef () ACME COM (Jef Poskanzer)
Date: Tue, 9 Nov 1999 17:58:45 -0800


Today I glanced at the thttpd 2.04 source code, wondering how seriously
thttpd parsed HTTP If-Modified-Since fields. I was horrified to see that
tdate_parse() scans %[a-zA-Z] into a fixed-size stack buffer.


You're right, that's pretty bad.  Thanks for the note.  Fortunately
the fix is trivial, and I had a new version of thttpd ready to go,
so I went ahead and released it.  The patch I applied is below, and
you can find the full tarchive at the usual place,
    http://www.acme.com/software/thttpd/
I was hoping to delay this release until I solve www.acme.com's current
bandwidth problems, but this is urgent enough to require an immediate fix.

By the way, this:


According to Netcraft, it's used
on 1.82% of all HTTP servers, behind only Apache, IIS, Enterprise, and
Rapidsite.


is somewhat of an overstatement.  There are actually only a hundred or
so sites running thttpd.  One of them is Demon Internet, a British
company which serves over 100,000 domains on a single SGI box running
their modified version of thttpd.

---
Jef

         Jef Poskanzer  jef () acme com  http://www.acme.com/jef/

*** tdate_parse.c       1999/09/15 16:09:36     1.1
--- tdate_parse.c       1999/11/10 01:16:39
***************
*** 211,217 ****
      */

      /* DD-mth-YY HH:MM:SS GMT */
!     if ( sscanf( cp, "%d-%[a-zA-Z]-%d %d:%d:%d GMT",
                &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
--- 211,217 ----
      */

      /* DD-mth-YY HH:MM:SS GMT */
!     if ( sscanf( cp, "%d-%400[a-zA-Z]-%d %d:%d:%d GMT",
                &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
***************
*** 225,231 ****
        }

      /* DD mth YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%d %[a-zA-Z] %d %d:%d:%d GMT",
                &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
--- 225,231 ----
        }

      /* DD mth YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%d %400[a-zA-Z] %d %d:%d:%d GMT",
                &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
***************
*** 239,245 ****
        }

      /* HH:MM:SS GMT DD-mth-YY */
!     else if ( sscanf( cp, "%d:%d:%d GMT %d-%[a-zA-Z]-%d",
                &tm_hour, &tm_min, &tm_sec, &tm_mday, str_mon,
                &tm_year ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
--- 239,245 ----
        }

      /* HH:MM:SS GMT DD-mth-YY */
!     else if ( sscanf( cp, "%d:%d:%d GMT %d-%400[a-zA-Z]-%d",
                &tm_hour, &tm_min, &tm_sec, &tm_mday, str_mon,
                &tm_year ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
***************
*** 253,259 ****
        }

      /* HH:MM:SS GMT DD mth YY */
!     else if ( sscanf( cp, "%d:%d:%d GMT %d %[a-zA-Z] %d",
                &tm_hour, &tm_min, &tm_sec, &tm_mday, str_mon,
                &tm_year ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
--- 253,259 ----
        }

      /* HH:MM:SS GMT DD mth YY */
!     else if ( sscanf( cp, "%d:%d:%d GMT %d %400[a-zA-Z] %d",
                &tm_hour, &tm_min, &tm_sec, &tm_mday, str_mon,
                &tm_year ) == 6 &&
            scan_mon( str_mon, &tm_mon ) )
***************
*** 267,273 ****
        }

      /* wdy, DD-mth-YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%[a-zA-Z], %d-%[a-zA-Z]-%d %d:%d:%d GMT",
                str_wday, &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
--- 267,273 ----
        }

      /* wdy, DD-mth-YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%400[a-zA-Z], %d-%400[a-zA-Z]-%d %d:%d:%d GMT",
                str_wday, &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
***************
*** 283,289 ****
        }

      /* wdy, DD mth YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%[a-zA-Z], %d %[a-zA-Z] %d %d:%d:%d GMT",
                str_wday, &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
--- 283,289 ----
        }

      /* wdy, DD mth YY HH:MM:SS GMT */
!     else if ( sscanf( cp, "%400[a-zA-Z], %d %400[a-zA-Z] %d %d:%d:%d GMT",
                str_wday, &tm_mday, str_mon, &tm_year, &tm_hour, &tm_min,
                &tm_sec ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
***************
*** 299,305 ****
        }

      /* wdy mth DD HH:MM:SS GMT YY */
!     else if ( sscanf( cp, "%[a-zA-Z] %[a-zA-Z] %d %d:%d:%d GMT %d",
                str_wday, str_mon, &tm_mday, &tm_hour, &tm_min, &tm_sec,
                &tm_year ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
--- 299,305 ----
        }

      /* wdy mth DD HH:MM:SS GMT YY */
!     else if ( sscanf( cp, "%400[a-zA-Z] %400[a-zA-Z] %d %d:%d:%d GMT %d",
                str_wday, str_mon, &tm_mday, &tm_hour, &tm_min, &tm_sec,
                &tm_year ) == 7 &&
            scan_wday( str_wday, &tm_wday ) &&
Previous By Date Next
Previous By Thread Next

Current thread: