You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Evgeny Kotkov <ev...@visualsvn.com> on 2016/05/12 14:33:23 UTC

[PATCH] mod_proxy_http2: fix theoretically possible segfault when parsing URL

This patch fixes a theoretically possible segfault in mod_proxy_http2.

Please see the open_stream() function in h2_proxy_session.c:598.  If the
call to apr_uri_parse() fails, some of the apr_uri_t's fields may be set
to NULL, and this would cause a segfault in the following lines:

    authority = puri.hostname;
    if (!ap_strchr_c(authority, ':') && puri.port
    ...

Currently, the URIs are preprocessed by ap_proxy_canon_netloc() much earlier
than opening the proxy stream, but this may not hold in the future.  As well
as that, I think that there might be subtle differences between how these two
functions handle invalid URIs, and that could also result in the crash.

I attached the patch with a fix for this issue.

While here, I also spotted an opportunity for a minor code cleanup.  There
are a couple of places where a function returns an apr_status_t, but the
calling site tests the result against the OK (hook return code).  I updated
such places in the second patch.


Regards,
Evgeny Kotkov

Re: [PATCH] mod_proxy_http2: fix theoretically possible segfault when parsing URL

Posted by Stefan Eissing <st...@greenbytes.de>.

Evgeny, both patches look fine. Thanks! Applied in r1743517.

Cheers,

  Stefan

> Am 12.05.2016 um 16:33 schrieb Evgeny Kotkov <ev...@visualsvn.com>:
> 
> This patch fixes a theoretically possible segfault in mod_proxy_http2.
> 
> Please see the open_stream() function in h2_proxy_session.c:598.  If the
> call to apr_uri_parse() fails, some of the apr_uri_t's fields may be set
> to NULL, and this would cause a segfault in the following lines:
> 
>    authority = puri.hostname;
>    if (!ap_strchr_c(authority, ':') && puri.port
>    ...
> 
> Currently, the URIs are preprocessed by ap_proxy_canon_netloc() much earlier
> than opening the proxy stream, but this may not hold in the future.  As well
> as that, I think that there might be subtle differences between how these two
> functions handle invalid URIs, and that could also result in the crash.
> 
> I attached the patch with a fix for this issue.
> 
> While here, I also spotted an opportunity for a minor code cleanup.  There
> are a couple of places where a function returns an apr_status_t, but the
> calling site tests the result against the OK (hook return code).  I updated
> such places in the second patch.
> 
> 
> Regards,
> Evgeny Kotkov
> <h2-proxy-uri-parse-v1.patch.txt><h2-proxy-apr-status-cleanup-v1.patch.txt>