From 11492551faac4abadacf59998534bf7ba0204351 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Sat, 7 Jun 2008 01:10:50 +0000 Subject: [PATCH] If we are submitting 2GB login forms, there is a very serious, serious problem. The len and form_size of size_t should be adaquate, clean up the rest of the size/off mismatches. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@664230 13f79535-47bb-0310-9956-ffa450edef68 --- modules/aaa/mod_auth_form.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c index c7f718c882..1d34f15461 100644 --- a/modules/aaa/mod_auth_form.c +++ b/modules/aaa/mod_auth_form.c @@ -63,7 +63,7 @@ typedef struct { int username_set; const char *password; int password_set; - apr_off_t form_size; + apr_size_t form_size; int form_size_set; int fakebasicauth; int fakebasicauth_set; @@ -279,11 +279,13 @@ static const char *set_cookie_form_size(cmd_parms * cmd, void *config, const char *arg) { auth_form_config_rec *conf = config; + apr_off_t size; - if (APR_SUCCESS != apr_strtoff(&(conf->form_size), arg, NULL, 0) - || conf->form_size < 0) { + if (APR_SUCCESS != apr_strtoff(&size, arg, NULL, 0) + || size < 0 || size > APR_SIZE_MAX) { return "AuthCookieFormSize must be a size in bytes, or zero."; } + conf->form_size = (apr_size_t)size; conf->form_size_set = 1; return NULL; @@ -602,40 +604,40 @@ static int get_form_auth(request_rec * r, ap_form_pair_t *pair = (ap_form_pair_t *) apr_array_pop(pairs); if (username && !strcmp(pair->name, username) && sent_user) { apr_brigade_length(pair->value, 1, &len); - buffer = apr_palloc(r->pool, len + 1); size = (apr_size_t) len; + buffer = apr_palloc(r->pool, size + 1); apr_brigade_flatten(pair->value, buffer, &size); buffer[len] = 0; *sent_user = buffer; } else if (password && !strcmp(pair->name, password) && sent_pw) { apr_brigade_length(pair->value, 1, &len); - buffer = apr_palloc(r->pool, len + 1); size = (apr_size_t) len; + buffer = apr_palloc(r->pool, size + 1); apr_brigade_flatten(pair->value, buffer, &size); buffer[len] = 0; *sent_pw = buffer; } else if (location && !strcmp(pair->name, location) && sent_loc) { apr_brigade_length(pair->value, 1, &len); - buffer = apr_palloc(r->pool, len + 1); size = (apr_size_t) len; + buffer = apr_palloc(r->pool, size + 1); apr_brigade_flatten(pair->value, buffer, &size); buffer[len] = 0; *sent_loc = buffer; } else if (method && !strcmp(pair->name, method) && sent_method) { apr_brigade_length(pair->value, 1, &len); - buffer = apr_palloc(r->pool, len + 1); size = (apr_size_t) len; + buffer = apr_palloc(r->pool, size + 1); apr_brigade_flatten(pair->value, buffer, &size); buffer[len] = 0; *sent_method = buffer; } else if (mimetype && !strcmp(pair->name, mimetype) && sent_mimetype) { apr_brigade_length(pair->value, 1, &len); - buffer = apr_palloc(r->pool, len + 1); size = (apr_size_t) len; + buffer = apr_palloc(r->pool, size + 1); apr_brigade_flatten(pair->value, buffer, &size); buffer[len] = 0; *sent_mimetype = buffer; -- 2.40.0