You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/11/01 03:10:42 UTC
DO NOT REPLY [Bug 24314] New: -
jk2/AJP13: jkstatus unsafely prints jk_stat->active
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314
jk2/AJP13: jkstatus unsafely prints jk_stat->active
Summary: jk2/AJP13: jkstatus unsafely prints jk_stat->active
Product: Tomcat 4
Version: 4.0.4 Final
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: Connector:Coyote JK 2
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: kylev@yaga.com
I saw this under LastReq a couple of times in my jkstatus page (built from the
2.0.2 tarball):
/cnetcd/aiListTransactions.do;jsessionid=3C39F41641B7CA3405B45D0¢<Ù?
Which seems really scary. Sure enough, in jk_worker_ajp13.c we see that this
struct field (struct jk_stat's active is char[64]) is populated by a strncpy on
line 472:
/* XXX configurable ? */
strncpy( e->stats->active, s->req_uri, 64);
In jk_worker_status.c, the utility function jk2_worker_status_displayStat(...)
doesn't pay attention to this size, using jkprintf:
s->jkprintf(env, s, "<td>%s</td>\n", JK_CHECK_NULL(stat->active) );
jkprintf is a void* to jk2_requtil_printf, which does expects a NULL terminated
string! It will occasionally wander off into oblivion until it hits a null. Icky.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org