[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: system/2767

To: Jedi/Sector One <j@pureftpd.org>
Subject: Re: system/2767
From: Federico Schwindt <fgs@devilness.devilness.org>
Date: Sun, 23 Jun 2002 12:29:49 +0100
Cc: "Federico G. Schwindt" <fgsch@cvs.openbsd.org>,bugs@cvs.openbsd.org
References: <200206231042.g5NAg8TN009459@cvs.openbsd.org> <20020623104626.GA28595@c9x.org>

On Sun, Jun 23, 2002 at 12:46:04PM +0200, Jedi/Sector One wrote:
> On Sun, Jun 23, 2002 at 04:42:08AM -0600, Federico G. Schwindt wrote:
> > Diff applied, although only the sizeof(caCMD) - 1.
> > Thanks.
> 
>   This off-by-one is the real vulnerability, but why don't you fix the space
> trimming as well?
>
>   In the current Apache parser, spaces are already trimmed when the redirect
> hooks are called,so the first part of ssl_compat_directive() is useless. By
> chance. Either assume that spaces are always trimmed and remove this part,
> or check the buffer size. In the current state, we have both useless and
> insecure code.

  I see no real problem here. Returning NULL would mean this is a comment
while it's not the case. This may be a real oversized or wrong directive.
  Assuming that it's a comment becuase its lenght exceed 1023 bytes is
wrong in my opinion, and not what the code intended in first place.

  f.-

Follow-Ups:
- Re: system/2767
  - From: Jedi/Sector One <j@pureftpd.org>

References:
- Re: system/2767
  - From: "Federico G. Schwindt" <fgsch@cvs.openbsd.org>
- Re: system/2767
  - From: Jedi/Sector One <j@pureftpd.org>

Prev by Date: Re: system/2767
Next by Date: i386/2768: 2049 in 3.1 ?
Prev by thread: Re: system/2767
Next by thread: Re: system/2767
Index(es):
- Date
- Thread