Bug#566325: bozohttpd: crashes on invalid input

Tue, 26 Jan 2010 18:40:56 -0800 

hi.

i'm the author of bozohttpd.

this isn't a DoS or security problem.  i only noticed this after there
was a secunia notice about one.  i've mailed them about this as well
to inform them that their notice is wrong.

in inetd or daemon mode, the double free() occurs in the child process,
not the process that calls accept().  this is a real bug, for sure, but
it does not affect service.

this problem is infact extremely minor.


below is the patch i've commited to fix the problem.


.mrg.


Index: bozohttpd.c
===================================================================
RCS file: /home/cvs/bozohttpd/bozohttpd.c,v
retrieving revision 1.160
retrieving revision 1.161
diff -p -r1.160 -r1.161
*** bozohttpd.c 23 May 2009 08:30:52 -0000      1.160
--- bozohttpd.c 27 Jan 2010 02:10:54 -0000      1.161
***************
*** 1,4 ****
! /*    $eterna: bozohttpd.c,v 1.160 2009/05/23 08:30:52 mrg Exp $      */
  
  /*
   * Copyright (c) 1997-2009 Matthew R. Green
--- 1,4 ----
! /*    $eterna: bozohttpd.c,v 1.161 2010/01/27 02:10:54 mrg Exp $      */
  
  /*
   * Copyright (c) 1997-2009 Matthew R. Green
*************** parse_request(char *in, char **method, c
*** 583,607 ****
                        *file = val;
                else
                        *file = in;
!               return;
!       }
!       *file = val;
! 
!       *query = strchr(*file, '?');
!       if (*query)
!               *(*query)++ = '\0';
  
!       if (in) {
!               while (*in && (*in == ' ' || *in == '\t'))
!                       in++;
!               if (*in)
!                       *proto = in;
        }
  
        /* allocate private copies */
!       *file = strdup(*file);
        if (*query)
!               *query = strdup(*query);
  
        debug((DEBUG_FAT, "url: method: \"%s\" file: \"%s\" query: \"%s\" 
proto: \"%s\"", 
               *method, *file, *query, *proto));
--- 583,607 ----
                        *file = val;
                else
                        *file = in;
!       } else {
!               *file = val;
  
!               *query = strchr(*file, '?');
!               if (*query)
!                       *(*query)++ = '\0';
! 
!               if (in) {
!                       while (*in && (*in == ' ' || *in == '\t'))
!                               in++;
!                       if (*in)
!                               *proto = in;
!               }
        }
  
        /* allocate private copies */
!       *file = bozostrdup(*file);
        if (*query)
!               *query = bozostrdup(*query);
  
        debug((DEBUG_FAT, "url: method: \"%s\" file: \"%s\" query: \"%s\" 
proto: \"%s\"", 
               *method, *file, *query, *proto));



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to