You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/05 14:35:28 UTC

DO NOT REPLY [Bug 28204] New: - [PATCH] ab: does not handle urls that are too long

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28204>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28204

[PATCH] ab: does not handle urls that are too long

           Summary: [PATCH] ab: does not handle urls that are too long
           Product: Apache httpd-2.0
           Version: 2.1-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: support
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: erik.weidel@mplus-technologies.de


In apache bench is no checking if the length of the url given in the commandline
matches the size of the internal request buf (variable _request). 
So the sprintf causes a buffer overflow. In my case this overwrote the variable 
containing the port so I could not connect to the server.

I patched this to use the apr_snprintf function and exit with an error "request
too long".
I also increased the buffer size for the request to 2048 because 512 was too
small for my tests.

Index: ab.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/ab.c,v
retrieving revision 1.143
diff -u -r1.143 ab.c
--- ab.c        25 Mar 2004 00:05:00 -0000      1.143
+++ ab.c        5 Apr 2004 12:31:15 -0000
@@ -313,7 +313,7 @@
 apr_time_t start, endtime;

 /* global request (and its length) */
-char _request[512];
+char _request[2048];
 char *request = _request;
 apr_size_t reqlen;

@@ -1534,6 +1534,7 @@
     apr_int16_t rv;
     long i;
     apr_status_t status;
+    int snprintf_res=0;
 #ifdef NOT_ASCII
     apr_size_t inbytes_left, outbytes_left;
 #endif
@@ -1568,7 +1569,7 @@

     /* setup request */
     if (posting <= 0) {
-       sprintf(request, "%s %s HTTP/1.0\r\n"
+        snprintf_res = apr_snprintf(request, sizeof(_request), "%s %s HTTP/1.0\r\n"
                "User-Agent: ApacheBench/%s\r\n"
                "%s" "%s" "%s"
                "Host: %s%s\r\n"
@@ -1581,7 +1582,7 @@
                cookie, auth, host_field, colonhost, hdrs);
     }
     else {
-       sprintf(request, "POST %s HTTP/1.0\r\n"
+        snprintf_res = apr_snprintf(request,  sizeof(_request),"POST %s
HTTP/1.0\r\n"
                "User-Agent: ApacheBench/%s\r\n"
                "%s" "%s" "%s"
                "Host: %s%s\r\n"
@@ -1596,6 +1597,9 @@
                cookie, auth,
                host_field, colonhost, postlen,
                (content_type[0]) ? content_type : "text/plain", hdrs);
+    }
+    if (snprintf_res >= sizeof(_request)) {
+        err("request too long");
     }

     if (verbosity >= 2)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org