Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Aug 2022 14:50:34 +0300
From: Evgeny Legerov <>
Subject: Apache mod_dav off-by-one


How it happens that Apache process_if_header off-by-one, which has been 
mentioned in

The Art of Software Security Assessment (page 420), still remains unpatched?

What am I missing?

The code from Apache 2.4.54:

static dav_error * dav_process_if_header(request_rec *r, dav_if_header 

      while (*list) {
                 /* List is the entire production (in a uri scope) */

                 switch (*list) {
                 case 'N':
                     if (list[1] == 'o' && list[2] == 't') {
                         if (condition != DAV_IF_COND_NORMAL) {
                             return dav_new_error(r->pool, HTTP_BAD_REQUEST,
                                                  "Invalid \"If:\" header: "
                                                  "Multiple \"not\" 
entries "
                                                  "for the same state.");
                         condition = DAV_IF_COND_NOT;
                     list += 2;

It is not only out of bounds read, dav_fetch_next_token() will write 
NULL byte on next iteration.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.