From: Rainer Jung <rjung@apache.org>
Date: Sun, 14 Feb 2010 21:36:03 +0000 (+0000)
Subject: Limit sscanf format to the number of chars actually
X-Git-Tag: 2.3.6~476
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8e6c0bdc8aa0283a1d15ae3ef94edf6b79fc33a4;p=apache

Limit sscanf format to the number of chars actually
needed and buffer size provided to prevent buffer overflow.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@910079 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 91fdbc9a6e..5097a4042a 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2342,21 +2342,22 @@ static apr_status_t send_http_connect(proxy_conn_rec *backend,
     /* Check for HTTP_OK response status */
     if (status == APR_SUCCESS) {
         int major, minor;
-        char code_str[10];
+        /* Only scan for three character status code */
+        char code_str[4];
 
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                      "send_http_connect: response from the forward proxy: %s",
                      buffer);
 
         /* Extract the returned code */
-        if (sscanf(buffer, "HTTP/%u.%u %s", &major, &minor, code_str) == 3) {
+        if (sscanf(buffer, "HTTP/%u.%u %3s", &major, &minor, code_str) == 3) {
             status = atoi(code_str);
             if (status == HTTP_OK) {
                 status = APR_SUCCESS;
             }
             else {
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                             "send_http_connect: the forward proxy returned code is %s",
+                             "send_http_connect: the forward proxy returned code is '%s'",
                              code_str);
             status = APR_INCOMPLETE;
             }