Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   Long cookie content is not handled properly., posted by Simon Patton on Tue Apr 14 22:51:15 2009 
    icon2.gif   Re: Long cookie content is not handled properly., posted by Stefan Ritt on Wed Apr 15 09:26:37 2009 
Message ID: 66314     Entry time: Tue Apr 14 22:51:15 2009     Reply to this: 66315
Icon: Warning  Author: Simon Patton  Author Email: sjpatton@lbl.gov 
Category: Bug fix  OS: All  ELOG Version: 2.7.6 
Subject: Long cookie content is not handled properly. 
I discovered the infinite loop in 2.7.5 which can happen when a cookie's content is longer that the cookie array
designed to hold it. I also note that this issue has been addressed in 2.7.6, but the solution does not appear
to be correct and it can end up completely confusing the cookie extraction.

In 2.7.5 the code was:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; )
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p++;

While in 2.7.6 is became:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n';)
        if (i < (int) sizeof(cookie) - 1)
            cookie[i++] = *p++;
        else
            break;

This leaves 'p' pointing to the middle of the cookie's content and I can not see that this is corrected in the loop (sorry if I've missed that).

The solution I used to patch 2.7.5 was the following:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; ++p)
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p;

which simply truncates the contents of the cookie (which is assumed not to be an elogd cookie) but leaves 'p' in the right place to extract the next one.
ELOG V3.1.5-3fb85fa6