Check input lenght to avoid potential overflows

author Stefan Fritsch <sf@apache.org>

Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)

committer Stefan Fritsch <sf@apache.org>

Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)
author Stefan Fritsch <sf@apache.org>
Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)
committer Stefan Fritsch <sf@apache.org>
Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)
diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c

index edb1b7d7f7987e43140e8bf7a56e3a803e18baad..21690504b60e81f7e4d1fb742d941b267154e41d 100644 (file)
--- a/server/util_expr_eval.c
+++ b/server/util_expr_eval.c
@@ -298,7 +298,7 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
      ctx.inputlen = strlen(expr);
      ctx.inputptr = ctx.inputbuf;
      ctx.expr     = NULL;
-    ctx.error    = NULL;        /* generic bison error message (usually not very useful) */
+    ctx.error    = NULL;        /* generic bison error message (XXX: usually not very useful, should be axed) */
      ctx.error2   = NULL;        /* additional error message */
      ctx.flags    = info->flags;
      ctx.scan_del    = '\0';
@@ -306,6 +306,15 @@ AP_DECLARE(const char *) ap_expr_parse(apr_pool_t *pool, apr_pool_t *ptemp,
      ctx.scan_ptr    = ctx.scan_buf;
      ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_run_expr_lookup;
  
+
+    /*
+     * Be sure to avoid overflows in the scanner. In practice the input length
+     * will be limited by the config file parser, anyway.
+     * XXX: The scanner really should do proper buffer overflow checks
+     */
+    if (ctx.inputlen >= MAX_STRING_LEN)
+        return "Expression too long";
+
      ap_expr_yylex_init(&ctx.scanner);
      ap_expr_yyset_extra(&ctx, ctx.scanner);
      rc = ap_expr_yyparse(&ctx);
author	Stefan Fritsch <sf@apache.org>
	Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Sat, 20 Nov 2010 20:26:37 +0000 (20:26 +0000)