SECURITY: CVE-2006-3747 (cve.mitre.org)

mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. Ack: trawick, lars, jorton, wrowe, benl git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@426138 13f79535-47bb-0310-9956-ffa450edef68
author: Mark J. Cox <mjc@apache.org> 2006-07-27 19:03:34 +0200
committer: Mark J. Cox <mjc@apache.org> 2006-07-27 19:03:34 +0200
commit: 862dd4e3e7a3391afd6fe392e4ab568d73b9c873 (patch)
tree: 7618277d859020ade10cadd1e8d2e0cd9fa3d59f /modules/mappers
parent: Document new ping parameter. (diff)
download: apache2-862dd4e3e7a3391afd6fe392e4ab568d73b9c873.tar.xz
apache2-862dd4e3e7a3391afd6fe392e4ab568d73b9c873.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 6c9433b0ab..ca700cce33 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -670,7 +670,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
             int c = 0;
 
             token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';
author	Mark J. Cox <mjc@apache.org>	2006-07-27 19:03:34 +0200
committer	Mark J. Cox <mjc@apache.org>	2006-07-27 19:03:34 +0200
commit	862dd4e3e7a3391afd6fe392e4ab568d73b9c873 (patch)
tree	7618277d859020ade10cadd1e8d2e0cd9fa3d59f /modules/mappers
parent	Document new ping parameter. (diff)
download	apache2-862dd4e3e7a3391afd6fe392e4ab568d73b9c873.tar.xz apache2-862dd4e3e7a3391afd6fe392e4ab568d73b9c873.zip