You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/05 14:35:28 UTC
DO NOT REPLY [Bug 28204] New: -
[PATCH] ab: does not handle urls that are too long
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28204>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28204
[PATCH] ab: does not handle urls that are too long
Summary: [PATCH] ab: does not handle urls that are too long
Product: Apache httpd-2.0
Version: 2.1-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: support
AssignedTo: bugs@httpd.apache.org
ReportedBy: erik.weidel@mplus-technologies.de
In apache bench is no checking if the length of the url given in the commandline
matches the size of the internal request buf (variable _request).
So the sprintf causes a buffer overflow. In my case this overwrote the variable
containing the port so I could not connect to the server.
I patched this to use the apr_snprintf function and exit with an error "request
too long".
I also increased the buffer size for the request to 2048 because 512 was too
small for my tests.
Index: ab.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/ab.c,v
retrieving revision 1.143
diff -u -r1.143 ab.c
--- ab.c 25 Mar 2004 00:05:00 -0000 1.143
+++ ab.c 5 Apr 2004 12:31:15 -0000
@@ -313,7 +313,7 @@
apr_time_t start, endtime;
/* global request (and its length) */
-char _request[512];
+char _request[2048];
char *request = _request;
apr_size_t reqlen;
@@ -1534,6 +1534,7 @@
apr_int16_t rv;
long i;
apr_status_t status;
+ int snprintf_res=0;
#ifdef NOT_ASCII
apr_size_t inbytes_left, outbytes_left;
#endif
@@ -1568,7 +1569,7 @@
/* setup request */
if (posting <= 0) {
- sprintf(request, "%s %s HTTP/1.0\r\n"
+ snprintf_res = apr_snprintf(request, sizeof(_request), "%s %s HTTP/1.0\r\n"
"User-Agent: ApacheBench/%s\r\n"
"%s" "%s" "%s"
"Host: %s%s\r\n"
@@ -1581,7 +1582,7 @@
cookie, auth, host_field, colonhost, hdrs);
}
else {
- sprintf(request, "POST %s HTTP/1.0\r\n"
+ snprintf_res = apr_snprintf(request, sizeof(_request),"POST %s
HTTP/1.0\r\n"
"User-Agent: ApacheBench/%s\r\n"
"%s" "%s" "%s"
"Host: %s%s\r\n"
@@ -1596,6 +1597,9 @@
cookie, auth,
host_field, colonhost, postlen,
(content_type[0]) ? content_type : "text/plain", hdrs);
+ }
+ if (snprintf_res >= sizeof(_request)) {
+ err("request too long");
}
if (verbosity >= 2)
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org