Changeset 1371

Timestamp:

09/30/08 05:17:21 (5 years ago)

Author:

wichert

Message:

Security: strncpy is not guaranteed to NUL-terminate strings

Location:

trunk/wifidog/libhttpd

Files:

• api.c (modified) (12 diffs)
• protocol.c (modified) (1 diff)

trunk/wifidog/libhttpd/api.c

@@ -350 +350 @@
                 &addrLen);
         ipaddr = inet_ntoa(addr.sin_addr);
-        if (ipaddr)
+        if (ipaddr) {
                 strncpy(r->clientAddr, ipaddr, HTTP_IP_ADDR_LEN);
-        else
+                r->clientAddr[HTTP_IP_ADDR_LEN-1]=0;
+        } else
                 *r->clientAddr = 0;
         r->readBufRemain = 0;
@@ -439 +440 @@
                         *cp2 = 0;
                         strncpy(r->request.path,cp,HTTP_MAX_URL);
+                        r->request.path[HTTP_MAX_URL-1]=0;
                         _httpd_sanitiseUrl(r->request.path);
                         continue;
@@ -508 +510 @@
                                                    r->request.authPassword,
                                                    cp+1, HTTP_MAX_AUTH);
+                                                r->request.authPassword[HTTP_MAX_AUTH-1]=0;
                                         }
                                         strncpy(r->request.authUser, 
                                                 authBuf, HTTP_MAX_AUTH);
+                                        r->request.authUser[HTTP_MAX_AUTH-1]=0;
                                 }
                         }
@@ -521 +525 @@
                                         strncpy(r->request.referer,cp,
                                                 HTTP_MAX_URL);
+                                        r->request.referer[HTTP_MAX_URL-1]=0;
                                 }
                         }
@@ -533 +538 @@
                                         strncpy(r->request.host,cp,
                                                 HTTP_MAX_URL);
+                                        r->request.host[HTTP_MAX_URL-1]=0;
                                 }
                         }
@@ -544 +550 @@
                                         strncpy(r->request.ifModified,cp,
                                                 HTTP_MAX_URL);
+                                        r->request.ifModified[HTTP_MAX_URL-1]=0;
                                         cp = index(r->request.ifModified,
                                                 ';');
@@ -557 +564 @@
                                         strncpy(r->request.contentType,cp,
                                                 HTTP_MAX_URL);
+                                        r->request.contentType[HTTP_MAX_URL-1]=0;
                                 }
                         }
@@ -595 +603 @@
                 *cp++ = 0;
                 strncpy(r->request.query, cp, sizeof(r->request.query));
+                r->request.query[sizeof(r->request.query)-1]=0;
                 _httpd_storeData(r, cp);
         }
@@ -642 +651 @@
 {
         strncpy(server->fileBasePath, path, HTTP_MAX_URL);
+        server->fileBasePath[HTTP_MAX_URL-1]=0;
 }
 
@@ -823 +833 @@
 {
         strncpy(r->response.response, msg, HTTP_MAX_URL);
+        r->response.response[HTTP_MAX_URL-1]=0;
 }
 
@@ -945 +956 @@
         r->response.responseLength = 0;
         strncpy(dirName, httpdRequestPath(r), HTTP_MAX_URL);
+        dirName[HTTP_MAX_URL-1]=0;
         cp = rindex(dirName, '/');
         if (cp == NULL)
@@ -952 +964 @@
         }
         strncpy(entryName, cp + 1, HTTP_MAX_URL);
+        entryName[HTTP_MAX_URL-1]=0;
         if (cp != dirName)
                 *cp = 0;

trunk/wifidog/libhttpd/protocol.c

@@ -468 +468 @@
 
         strncpy(buffer, dir, HTTP_MAX_URL);
+        buffer[HTTP_MAX_URL-1]=0;
         curItem = server->content;
         curDir = strtok(buffer,"/");