You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/03/12 12:01:16 UTC

DO NOT REPLY [Bug 27627] New: - Buffer overflow in jk2 connector while parsing "Host" header

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27627>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=27627

Buffer overflow in jk2 connector while parsing "Host" header

           Summary: Buffer overflow in jk2 connector while parsing "Host"
                    header
           Product: Tomcat 4
           Version: 4.1.30
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Connector:Coyote JK 2
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: tomcat@kivus.no-ip.org


There is a buffer overflow bug in the following code in jk2 connector
(jk/native2/common/jk_uriMap.c, jk2_uriMap_getHostCache function):

char key[1024];
    
if (!vhost && !port)
    return uriMap->vhosts->get(env, uriMap->vhosts, "*");
if (!vhost)
    vhost = "*";
sprintf(key, "%s:%d", vhost, port);
    
The value of the 'vhost' variable comes from the "Host" header and the maximum 
length of this variable depends on the web server (for Apache2 it is more than 
1024). 
Client that connects to the web server and enters "Host" header longer than 
1024 characters will cause web server crash (and this may even enable clients 
to execute arbitrary code on the server!).
The simlar bug is in the jk2_uriMap_hostMap function.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org