-= CVE-2004-0940 =-

Vulnerable versions: Apache 1.3.x to 1.3.32
File(s): src/modules/standard/mod_include.c
Download from:
  http://archive.apache.org/dist/httpd/apache_1.3.32.tar.gz

Domain: Web (HTTP) Server

_ Vulnerable Functions and Buffers _

The function get_tag() is passed a buffer, and an integer representing
the size of this buffer. A loop get_tag() iterates over this buffer,
filling it with characters from a file. A bounds check,
   if (t - tag == tagbuf_len)
is meant to keep get_tag() from writing passed the end of the buffer
tag[], into which t points.

Unfortunately, there is a path through this loop in which t is
incremented twice without an intervening check; hence, t - tag can be
greater than tagbuf_len. Multiple writes to tag[] are thus unsafe.

_ Decomposed Programs _

apache.h
apache.c

get_tag/
  iter{1,2}_prefix{Short,Long}_{arr,ptr}_{bad,ok}.c

iter1 -- all iteration is forwards
iter2 -- there is forwards and backwards iteration (only the bad cases do this)
prefixShort -- little of get_tag() up to the relevant loop is preserved
prefixLong -- almost all of get_tag() up to the relevant loop is preserved

arr, ptr, bad, and ok mean the standard things
