os-windows/1378: Server on Windows NT crashes with very long URL (fwd)

[Dean Gaudet <dg...@arctic.org>]

We need to change the calling convention for os_canonical_filename to
include a buffer length and a failure code (if it doesn't have one
alreayd).  We shouldn't just patch around this by making bigger buffers... 

Dean

---------- Forwarded message ----------
Date: 7 Nov 1997 14:24:31 -0000
From: Malcolm Green <ma...@mgdev.demon.co.uk>
To: apbugs@hyperreal.org
Subject: os-windows/1378: Server on Windows NT crashes with very long URL


>Number:         1378
>Category:       os-windows
>Synopsis:       Server on Windows NT crashes with very long URL
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Nov  7 06:30:00 PST 1997
>Last-Modified:
>Originator:     malcolm@mgdev.demon.co.uk
>Organization:
apache
>Release:        1.3b2
>Environment:
NT 4.0  Visual C++ 5.0
>Description:
When a long URL (such as a query URL) is received, the Windows NT version of Apache crashes with stack corruption.
>How-To-Repeat:
http://mars.superlink.net/rzeitel/cass.html, then press Create button
>Fix:
The problem is caused by character buffers in sub_canonical_filename and os_canonical_filename in \os\win32\util_win32.c being too small.  Changing their size from _MAX_PATH to HUGE_STRING_LENGTH appears to fix the problem.

In the same area, inserting the following lines at the beginning of sub_canonical_filename appears to fix problems 1265 and 1315:
    if (strncmp(szFile, "proxy:", 6) == 0)
    {
	strcpy (szCanon, szFile);
	return;
    }
%0
>Audit-Trail:
>Unformatted:

Re: os-windows/1378: Server on Windows NT crashes with very long URL (fwd)

[Ben Laurie <be...@algroup.co.uk>]

Marc Slemko wrote:
> ...off to figure out how to stop our )#*@()# Pentium shell boxes
> from being crashed by pathetic pukes with nothing better to do
> than exploit Intel's stupidity.  Grrrrrr.  Wonder if proccess
> accounting is quick enough to catch who did it before it dies.

I really doubt it! 4 bytes of code and you're dead.

Hmmm ... actually, switch on auditing and look for the most recently
loaded .exe?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Re: os-windows/1378: Server on Windows NT crashes with very long URL (fwd)

[Marc Slemko <ma...@worldgate.com>]

On Fri, 7 Nov 1997, Dean Gaudet wrote:

> We need to change the calling convention for os_canonical_filename to
> include a buffer length and a failure code (if it doesn't have one
> alreayd).  We shouldn't just patch around this by making bigger buffers... 

Are you kidding?  The only reason 90% of Apache works is because of 
HUGE_STRING_LENGTH.  <g>  

It actually is a bit disturbing, and I agree it should be eliminated
where possible...

...off to figure out how to stop our )#*@()# Pentium shell boxes
from being crashed by pathetic pukes with nothing better to do
than exploit Intel's stupidity.  Grrrrrr.  Wonder if proccess
accounting is quick enough to catch who did it before it dies.