You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by dean gaudet <de...@arctic.org> on 2001/09/21 00:20:06 UTC
apache-1.3.20 segfault?
hrm, is the segfault described below a known bug? (i haven't tried it...)
-dean
---------- Forwarded message ----------
From: Jeff Moe <tu...@themoes.org>
To: tux-list@redhat.com
Subject: Re: Serous TUX 2.4.9-J5 problem
Reply-To: tux-list@redhat.com
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/tux-list>,
<mailto:tux-list-request@redhat.com?subject=subscribe>
List-Archive: <https://listman.redhat.com/mailman/private/tux-list/>
Date: Thu, 20 Sep 2001 13:54:30 -0600
On Thursday 20 September 2001 10:42 am, Nathan G. Grennan wrote:
[Chop]
>I restarted Tux fresh and telneted to port 80 and pasted the line in and
> sure enough it instantly crashed. I believe the line I used was:
>
> GET /scripts /..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Apache 1.3.20 (and presumably earlier) has a similar bug. I noticed this
during the recent worming. It may be related to Tux's problem. Here's how to
reproduce it in Apache:
1) You need to redirect 404s to a 404 document:
ErrorDocument 404 /fourofour.shtml
2) You need be parsing that file:
AddHandler server-parsed .shtml
3) You need to send it a request like:
http://server.com/test%2fing
Apache will Segfault and you'll get a "Document returned no data error" in
the browser.
-Jeff
_______________________________________________
tux-list mailing list
tux-list@redhat.com
https://listman.redhat.com/mailman/listinfo/tux-list
Re: [PATCH] Re: apache-1.3.20 segfault?
Posted by dean gaudet <de...@arctic.org>.
yeah i considered that, but i don't think rr->filename can be NULL in
1.3... 'cause i don't think you can get rr->status == OK with a NULL
filename...
the only calls to ap_translate_name() which succeed are followed by
ap_directory_walk() which tests for a NULL filename and sets it to a copy
of the URI if it's NULL. so after directory_walk() you can assume the
filename is not NULL.
dunno if that's still true in 2.0, haven't looked.
-dean
On Thu, 20 Sep 2001, Cliff Woolley wrote:
> On Thu, 20 Sep 2001 dean@arctic.org wrote:
>
> > this bug has probably been here forever... i can't imagine any way to
> > exploit it.
>
> Jeff fixed the same bug in 2.0 about a month ago. His fix was very
> similar to yours, though it did one extra check. Here's the commit
> message.
>
> --Cliff
>
> --------------------------------------------------------------
> trawick 01/08/22 05:07:40
>
> Modified: . CHANGES
> modules/filters mod_include.c
> Log:
> Fix a segfault in mod_include when the original request has no
> associated filename (e.g., we're filtering the error document for
> a bad URI).
>
> Reported by: Joshua Slive
>
> Revision Changes Path
> [snip]
> 1.126 +2 -2 httpd-2.0/modules/filters/mod_include.c
>
> Index: mod_include.c
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
> retrieving revision 1.125
> retrieving revision 1.126
> diff -u -r1.125 -r1.126
> --- mod_include.c 2001/08/18 17:36:26 1.125
> +++ mod_include.c 2001/08/22 12:07:40 1.126
> @@ -832,8 +832,8 @@
> for (p = r; p != NULL && !founddupe; p = p->main) {
> request_rec *q;
> for (q = p; q != NULL; q = q->prev) {
> - if ( (strcmp(q->filename, rr->filename) == 0) ||
> - (strcmp(q->uri, rr->uri) == 0) ){
> + if ((q->filename && rr->filename &&
> (strcmp(q->filename, rr->filename) == 0)) ||
> + (strcmp(q->uri, rr->uri) == 0)) {
> founddupe = 1;
> break;
> }
>
> --------------------------------------------------------------
> Cliff Woolley
> cliffwoolley@yahoo.com
> Charlottesville, VA
>
>
>
Re: [PATCH] Re: apache-1.3.20 segfault?
Posted by Cliff Woolley <cl...@yahoo.com>.
On Thu, 20 Sep 2001 dean@arctic.org wrote:
> this bug has probably been here forever... i can't imagine any way to
> exploit it.
Jeff fixed the same bug in 2.0 about a month ago. His fix was very
similar to yours, though it did one extra check. Here's the commit
message.
--Cliff
--------------------------------------------------------------
trawick 01/08/22 05:07:40
Modified: . CHANGES
modules/filters mod_include.c
Log:
Fix a segfault in mod_include when the original request has no
associated filename (e.g., we're filtering the error document for
a bad URI).
Reported by: Joshua Slive
Revision Changes Path
[snip]
1.126 +2 -2 httpd-2.0/modules/filters/mod_include.c
Index: mod_include.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -r1.125 -r1.126
--- mod_include.c 2001/08/18 17:36:26 1.125
+++ mod_include.c 2001/08/22 12:07:40 1.126
@@ -832,8 +832,8 @@
for (p = r; p != NULL && !founddupe; p = p->main) {
request_rec *q;
for (q = p; q != NULL; q = q->prev) {
- if ( (strcmp(q->filename, rr->filename) == 0) ||
- (strcmp(q->uri, rr->uri) == 0) ){
+ if ((q->filename && rr->filename &&
(strcmp(q->filename, rr->filename) == 0)) ||
+ (strcmp(q->uri, rr->uri) == 0)) {
founddupe = 1;
break;
}
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA
[PATCH] Re: apache-1.3.20 segfault?
Posted by de...@arctic.org.
On Thu, 20 Sep 2001, dean gaudet wrote:
> hrm, is the segfault described below a known bug? (i haven't tried it...)
>
> -dean
>
> ---------- Forwarded message ----------
> From: Jeff Moe <tu...@themoes.org>
> To: tux-list@redhat.com
> Subject: Re: Serous TUX 2.4.9-J5 problem
>
> Apache 1.3.20 (and presumably earlier) has a similar bug. I noticed this
> during the recent worming. It may be related to Tux's problem. Here's how to
> reproduce it in Apache:
>
> 1) You need to redirect 404s to a 404 document:
> ErrorDocument 404 /fourofour.shtml
> 2) You need be parsing that file:
> AddHandler server-parsed .shtml
> 3) You need to send it a request like:
> http://server.com/test%2fing
>
> Apache will Segfault and you'll get a "Document returned no data error" in
> the browser.
>
> -Jeff
yeah this segfault occurs with 1.3.20 and top of 1.3, but it appears you
need something like:
<!--#include virtual="file" -->
in the fourofour.shtml.
patch below fixes it. however i'm not so sure it's exactly the right
fix... but there appear to be other examples where we test if filename !=
NULL. (boy am i rusty in apache code.)
this bug has probably been here forever... i can't imagine any way to
exploit it.
-dean
Index: include/httpd.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
retrieving revision 1.344
diff -u -r1.344 httpd.h
--- include/httpd.h 2001/08/13 17:09:42 1.344
+++ include/httpd.h 2001/09/21 02:09:27
@@ -806,7 +806,7 @@
char *unparsed_uri; /* the uri without any parsing performed */
char *uri; /* the path portion of the URI */
- char *filename;
+ char *filename; /* filename if found, otherwise NULL */
char *path_info;
char *args; /* QUERY_ARGS, if any */
struct stat finfo; /* ST_MODE set to zero if no such file */
Index: modules/standard/mod_include.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
retrieving revision 1.129
diff -u -r1.129 mod_include.c
--- modules/standard/mod_include.c 2001/07/13 19:45:52 1.129
+++ modules/standard/mod_include.c 2001/09/21 02:09:27
@@ -718,7 +718,7 @@
for (p = r; p != NULL && !founddupe; p = p->main) {
request_rec *q;
for (q = p; q != NULL; q = q->prev) {
- if ( (strcmp(q->filename, rr->filename) == 0) ||
+ if ( (q->filename && strcmp(q->filename, rr->filename) == 0) ||
(strcmp(q->uri, rr->uri) == 0) ){
founddupe = 1;
break;