From 0e4810f9006da33eff6af211d4d8418545271b75 Mon Sep 17 00:00:00 2001
From: Daniel Earl Poirier <poirier@apache.org>
Date: Fri, 24 Jul 2009 17:15:29 +0000
Subject: [PATCH] htdbm: Fix possible buffer overflow if dbm database has very
 long values.  PR 30586 [Dan Poirier]

PR 30586
Reported by: Ulf Harnhammar, Swedish IT Incident Centre


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@797563 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES         |  3 +++
 support/htdbm.c | 16 ++++++----------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 037874a417..facc56a983 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,9 @@ Changes with Apache 2.3.3
      mod_proxy_ajp: Avoid delivering content from a previous request which
      failed to send a request body. PR 46949 [Ruediger Pluem]
 
+  *) htdbm: Fix possible buffer overflow if dbm database has very
+     long values.  PR 30586 [Dan Poirier]
+
   *) core: Return APR_EOF if request body is shorter than the length announced
      by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
 
diff --git a/support/htdbm.c b/support/htdbm.c
index b98d686220..74bff82003 100644
--- a/support/htdbm.c
+++ b/support/htdbm.c
@@ -219,7 +219,7 @@ static apr_status_t htdbm_del(htdbm_t *htdbm)
 static apr_status_t htdbm_verify(htdbm_t *htdbm)
 {
     apr_datum_t key, val;
-    char pwd[MAX_STRING_LEN] = {0};
+    char *pwd;
     char *rec, *cmnt;
 
     key.dptr = htdbm->username;
@@ -231,9 +231,9 @@ static apr_status_t htdbm_verify(htdbm_t *htdbm)
     rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
     cmnt = strchr(rec, ':');
     if (cmnt)
-        strncpy(pwd, rec, cmnt - rec);
+        pwd = apr_pstrndup(htdbm->pool, rec, cmnt - rec);
     else
-        strcpy(pwd, rec);
+        pwd = apr_pstrdup(htdbm->pool, rec);
     return apr_password_validate(htdbm->userpass, pwd);
 }
 
@@ -242,7 +242,7 @@ static apr_status_t htdbm_list(htdbm_t *htdbm)
     apr_status_t rv;
     apr_datum_t key, val;
     char *rec, *cmnt;
-    char kb[MAX_STRING_LEN];
+    char *kb;
     int i = 0;
 
     rv = apr_dbm_firstkey(htdbm->dbm, &key);
@@ -250,8 +250,6 @@ static apr_status_t htdbm_list(htdbm_t *htdbm)
         fprintf(stderr, "Empty database -- %s\n", htdbm->filename);
         return APR_ENOENT;
     }
-    rec = apr_pcalloc(htdbm->pool, HUGE_STRING_LEN);
-
     fprintf(stderr, "Dumping records from database -- %s\n", htdbm->filename);
     fprintf(stderr, "    %-32sComment\n", "Username");
     while (key.dptr != NULL) {
@@ -260,11 +258,9 @@ static apr_status_t htdbm_list(htdbm_t *htdbm)
             fprintf(stderr, "Failed getting data from %s\n", htdbm->filename);
             return APR_EGENERAL;
         }
-        strncpy(kb, key.dptr, key.dsize);
-        kb[key.dsize] = '\0';
+        kb = apr_pstrndup(htdbm->pool, key.dptr, key.dsize);
         fprintf(stderr, "    %-32s", kb);
-        strncpy(rec, val.dptr, val.dsize);
-        rec[val.dsize] = '\0';
+        rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
         cmnt = strchr(rec, ':');
         if (cmnt)
             fprintf(stderr, "%s", cmnt + 1);
-- 
2.40.0