Actions
Bug #713
closedUNIX_PATH_MAX - bad assumption - buffer overflow
ASK QUESTIONS IN Forums:
Description
There is at least one buffer overflow in src/spawn-fcgi.c, since if UNIX_PATH_MAX is not defined, it is set to 108, which may NOT be assumed! One should use sizeof() instead.
You should also check src/mod_fastcgi.c, src/mod_scgi.c and src/spawn-fcgi.c, I was not able to exploit the overflow in src/spawn-fcgi.c in any kind, but this is generaly a very bad practice and could lead to problems when using external management applications and/or lead to potential security problems in those modules; now or in the future. Maybe it already IS vulnerable on some platforms!
At least on OpenBSD/FreeBSD in sys/un.h:
/* * Definitions for UNIX IPC domain. */ struct sockaddr_un { unsigned char sun_len; /* sockaddr len including null */ sa_family_t sun_family; /* AF_UNIX */ char sun_path[104]; /* path name (gag) */ };
-- jimmy
Updated by jan about 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in r1944
Actions
Also available in: Atom