Skip to content

fix off-by-one buffer overflow in proxy_send_dir_filter#677

Open
arshsmith1 wants to merge 1 commit into
apache:trunkfrom
arshsmith1:ftp-dir-buffer-bounds
Open

fix off-by-one buffer overflow in proxy_send_dir_filter#677
arshsmith1 wants to merge 1 commit into
apache:trunkfrom
arshsmith1:ftp-dir-buffer-bounds

Conversation

@arshsmith1

Copy link
Copy Markdown

proxy_send_dir_filter accumulates each FTP listing line into a fixed MAX_STRING_LEN buffer, and an over-long line from the backend fills it to the last byte with its newline truncated, so the ls -s1 fallback branch then strcat()s a newline two bytes past the array. A bare-LF line trips a matching underflow: the trailing-newline strip walks n down to 0 and reads ctx->buffer[n-1] before the buffer. Guard the strip with n > 0 and bound the re-appended newline so both stay inside ctx->buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant