You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/12/11 00:03:33 UTC
DO NOT REPLY [Bug 41143] New: - Incorrect ap_getline assumption in mod_proxy_http
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
Summary: Incorrect ap_getline assumption in mod_proxy_http
Product: Apache httpd-2
Version: 2.2-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
AssignedTo: bugs@httpd.apache.org
ReportedBy: davi@haxent.com.br
The misplaced ap_getline may discard a valid header after a too long header, ap_getline already discards
extra data.
The patch (side effect) also reduces the stack usage considerably (by 8KB).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
davi@haxent.com.br changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From davi@apache.org 2007-06-28 14:50 -------
(In reply to comment #4)
> (In reply to comment #0)
> > The misplaced ap_getline may discard a valid header after a too long header,
> > ap_getline already discards extra data.
>
> I am no sure if this is true in the case that the header is larger than 16KB,
> because in this case ap_rgetline_core will be left after the second
> ap_get_brigade (in the case we only have the ap_core_input_filter in the input
> filter chain, not checked the SSL case) which only read 16KB from the socket.
>
Bear with me:
ap_proxy_read_headers() calls ap_getline() with a buffer of 8192 bytes. ap_getline()
creates a brigade and calls ap_rgetline() to get a line of protocol input (and to copy
the line to the buffer). ap_rgetline_core() calls ap_get_brigade(AP_MODE_GETLINE)
which returns a line (brigade) of 8200 bytes (for the sake of example). If all data
is in the first bucket, the line size could overflow the buffer, then APR_ENOSPC
is returned. ap_getline sees the APR_ENOSPC and returns the buffer size.
We have two problems here. First, if the data of the first bucket overflows the buffer,
the data is not copied but ap_getline returns the size of the buffer (meaning that the
data was copied). Second, ap_proxy_read_headers checks if the returned len is >= than
the buffer size-1, if so, it calls ap_getline again, but the line was already read by
ap_get_brigade and discarded.
Makes sense now?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From rpluem@apache.org 2007-06-29 07:02 -------
(In reply to comment #7)
> (In reply to comment #6)
> > But ap_get_brigade(AP_MODE_GETLINE) returns 8192 bytes at max and it is not
> > guaranteed that this data contains a LF.
>
> No! ap_get_brigade(AP_MODE_GETLINE) may return much more than 8192 bytes.
Ok. You are correct with this. Sorry, I misread the loop.
> Suppose a brigade has two buckets of APR_BUCKET_BUFF_SIZE (8000) bytes each
> and the line break is on the second bucket, at position 4000. In this case,
> apr_brigade_split_line() will read the first bucket, and will proceed to read the
> next one since it's size is not >= HUGE_STRING_LEN. It will find a LF on the
second
> one and return a brigade of 12000 bytes.
So apr_brigade_split_line() will not return more than maxbytes-1 + the size of
the following bucket. So the brigade returned by ap_get_brigade(AP_MODE_GETLINE)
may not contain the LF if the header is long enough (I would suppose that 16KB =
2 * 8000 (APR_BUCKET_BUFF_SIZE) + 384 should be sufficient to get there).
I admit that this is a constructed edge case that might not happen in real life :-).
>
> > I agree that current code does it wrong, but I fear that there are other cases
> > where your patch will do it wrong.
>
> Would you care to elaborate? Also, i'm not sure too if it's the best fix, but
it can't
> get any worse (famous last words).
It is not getting worse, only different :-).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From rpluem@apache.org 2007-06-28 15:06 -------
(In reply to comment #5)
> Bear with me:
>
> ap_proxy_read_headers() calls ap_getline() with a buffer of 8192 bytes.
ap_getline()
> creates a brigade and calls ap_rgetline() to get a line of protocol input (and
to copy
> the line to the buffer). ap_rgetline_core() calls ap_get_brigade(AP_MODE_GETLINE)
> which returns a line (brigade) of 8200 bytes (for the sake of example). If all
data
But ap_get_brigade(AP_MODE_GETLINE) returns 8192 bytes at max and it is not
guaranteed that this data contains a LF. It is only guaranteed that
ap_get_brigade(AP_MODE_GETLINE) does not read *past* a LF. See
ap_core_input_filter and apr_brigade_split_line for why.
>
> Makes sense now?
I agree that current code does it wrong, but I fear that there are other cases
where your patch will do it wrong.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From davi@haxent.com.br 2006-12-10 15:04 -------
Created an attachment (id=19239)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19239&action=view)
patch against the 2.2.x branch
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
jfclere@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jfclere@gmail.com 2007-06-28 00:02 -------
Fixed in 2.2.4
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From davi@apache.org 2007-06-28 16:30 -------
I forgot to mention, but but if my memory serves well I spotted this issue while playing with
large cookies. It's not a critical real-world issue, yet :-)
Thanks for you comments.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From davi@apache.org 2007-06-28 16:18 -------
(In reply to comment #6)
> (In reply to comment #5)
>
>
> But ap_get_brigade(AP_MODE_GETLINE) returns 8192 bytes at max and it is not
> guaranteed that this data contains a LF.
No! ap_get_brigade(AP_MODE_GETLINE) may return much more than 8192 bytes.
Suppose a brigade has two buckets of APR_BUCKET_BUFF_SIZE (8000) bytes each
and the line break is on the second bucket, at position 4000. In this case,
apr_brigade_split_line() will read the first bucket, and will proceed to read the
next one since it's size is not >= HUGE_STRING_LEN. It will find a LF on the second
one and return a brigade of 12000 bytes.
> I agree that current code does it wrong, but I fear that there are other cases
> where your patch will do it wrong.
Would you care to elaborate? Also, i'm not sure too if it's the best fix, but it can't
get any worse (famous last words).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
davi@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
------- Additional Comments From davi@apache.org 2007-06-28 04:16 -------
Are you sure? which commit fixed it? I fail to see how this was solved. The code in
question is still present on the 2.2.x branch and trunk.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41143] - Incorrect ap_getline assumption in mod_proxy_http
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41143>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41143
------- Additional Comments From rpluem@apache.org 2007-06-28 14:16 -------
(In reply to comment #0)
> The misplaced ap_getline may discard a valid header after a too long header,
ap_getline already discards
> extra data.
I am no sure if this is true in the case that the header is larger than 16KB,
because in this case ap_rgetline_core will be left after the second
ap_get_brigade (in the case we only have the ap_core_input_filter in the input
filter chain, not checked the SSL case) which only read 16KB from the socket.
> The patch (side effect) also reduces the stack usage considerably (by 8KB).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org