You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/11/01 03:10:42 UTC

DO NOT REPLY [Bug 24314] New: - jk2/AJP13: jkstatus unsafely prints jk_stat->active

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314

jk2/AJP13: jkstatus unsafely prints jk_stat->active

           Summary: jk2/AJP13: jkstatus unsafely prints jk_stat->active
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Connector:Coyote JK 2
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: kylev@yaga.com


I saw this under LastReq a couple of times in my jkstatus page (built from the
2.0.2 tarball):

/cnetcd/aiListTransactions.do;jsessionid=3C39F41641B7CA3405B45D0¢<Ù?

Which seems really scary.  Sure enough, in jk_worker_ajp13.c we see that this
struct field (struct jk_stat's active is char[64]) is populated by a strncpy on
line 472:

    /* XXX configurable ? */
    strncpy( e->stats->active, s->req_uri, 64);

In jk_worker_status.c, the utility function jk2_worker_status_displayStat(...)
doesn't pay attention to this size, using jkprintf:

    s->jkprintf(env, s, "<td>%s</td>\n",  JK_CHECK_NULL(stat->active) );

jkprintf is a void* to jk2_requtil_printf, which does expects a NULL terminated
string!  It will occasionally wander off into oblivion until it hits a null.  Icky.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org