You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Evgeny Kotkov <ev...@visualsvn.com> on 2016/05/12 14:33:23 UTC
[PATCH] mod_proxy_http2: fix theoretically possible segfault when
parsing URL
This patch fixes a theoretically possible segfault in mod_proxy_http2.
Please see the open_stream() function in h2_proxy_session.c:598. If the
call to apr_uri_parse() fails, some of the apr_uri_t's fields may be set
to NULL, and this would cause a segfault in the following lines:
authority = puri.hostname;
if (!ap_strchr_c(authority, ':') && puri.port
...
Currently, the URIs are preprocessed by ap_proxy_canon_netloc() much earlier
than opening the proxy stream, but this may not hold in the future. As well
as that, I think that there might be subtle differences between how these two
functions handle invalid URIs, and that could also result in the crash.
I attached the patch with a fix for this issue.
While here, I also spotted an opportunity for a minor code cleanup. There
are a couple of places where a function returns an apr_status_t, but the
calling site tests the result against the OK (hook return code). I updated
such places in the second patch.
Regards,
Evgeny Kotkov
Re: [PATCH] mod_proxy_http2: fix theoretically possible segfault when parsing URL
Posted by Stefan Eissing <st...@greenbytes.de>.
Evgeny, both patches look fine. Thanks! Applied in r1743517.
Cheers,
Stefan
> Am 12.05.2016 um 16:33 schrieb Evgeny Kotkov <ev...@visualsvn.com>:
>
> This patch fixes a theoretically possible segfault in mod_proxy_http2.
>
> Please see the open_stream() function in h2_proxy_session.c:598. If the
> call to apr_uri_parse() fails, some of the apr_uri_t's fields may be set
> to NULL, and this would cause a segfault in the following lines:
>
> authority = puri.hostname;
> if (!ap_strchr_c(authority, ':') && puri.port
> ...
>
> Currently, the URIs are preprocessed by ap_proxy_canon_netloc() much earlier
> than opening the proxy stream, but this may not hold in the future. As well
> as that, I think that there might be subtle differences between how these two
> functions handle invalid URIs, and that could also result in the crash.
>
> I attached the patch with a fix for this issue.
>
> While here, I also spotted an opportunity for a minor code cleanup. There
> are a couple of places where a function returns an apr_status_t, but the
> calling site tests the result against the OK (hook return code). I updated
> such places in the second patch.
>
>
> Regards,
> Evgeny Kotkov
> <h2-proxy-uri-parse-v1.patch.txt><h2-proxy-apr-status-cleanup-v1.patch.txt>