You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/03/12 12:01:16 UTC
DO NOT REPLY [Bug 27627] New: -
Buffer overflow in jk2 connector while parsing "Host" header
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27627>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=27627
Buffer overflow in jk2 connector while parsing "Host" header
Summary: Buffer overflow in jk2 connector while parsing "Host"
header
Product: Tomcat 4
Version: 4.1.30
Platform: All
OS/Version: All
Status: NEW
Severity: Critical
Priority: Other
Component: Connector:Coyote JK 2
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: tomcat@kivus.no-ip.org
There is a buffer overflow bug in the following code in jk2 connector
(jk/native2/common/jk_uriMap.c, jk2_uriMap_getHostCache function):
char key[1024];
if (!vhost && !port)
return uriMap->vhosts->get(env, uriMap->vhosts, "*");
if (!vhost)
vhost = "*";
sprintf(key, "%s:%d", vhost, port);
The value of the 'vhost' variable comes from the "Host" header and the maximum
length of this variable depends on the web server (for Apache2 it is more than
1024).
Client that connects to the web server and enters "Host" header longer than
1024 characters will cause web server crash (and this may even enable clients
to execute arbitrary code on the server!).
The simlar bug is in the jk2_uriMap_hostMap function.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org