You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/08/17 18:51:55 UTC

DO NOT REPLY [Bug 11791] New: - NULL pointer dereference in merge_env_dir_configs

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11791>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11791

NULL pointer dereference in merge_env_dir_configs

           Summary: NULL pointer dereference in merge_env_dir_configs
           Product: Apache httpd-2.0
           Version: 2.0.40
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_env
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: timh@rd.bbc.co.uk


in merge_env_dir_configs the following code exists:

    arr = apr_table_elts(add->unsetenv);
    elts = (const apr_table_entry_t *)arr->elts;

however the definition of apr_table_elts just returns what is passed. This means
that arr is set to NULL if add->unsetenv is NULL. At this point arr->elts causes
a dereference through a NULL pointer and segfaults the server. from dbx:

(/tool/lang8.1/SUNWspro/bin/../WS6U1/bin/sparcv9/dbx) where                 
current thread: t@5
=>[1] merge_env_dir_configs(p = 0x1b0d68, basev = 0x1239d0, addv = 0x1b88f8),
line 114 in "mod_env.c"

(/tool/lang8.1/SUNWspro/bin/../WS6U1/bin/sparcv9/dbx) print *add
*add = {
    vars     = 0x1b8900
    unsetenv = (nil)
}


This only seems to occour when a .htaccess contains a SetEnv directive or any of
the subdirectories contain a .htaccess with a SetEnv directive, ie:

if
SetEnv foo bla exists in /foo/.htaccess
GET /foo/ HTTP/1.0
segfaults

SetEnv foo bla exists in /foo/bla/.htaccess
GET /foo/ HTTP/1.0
segfaults

SetEnv foo bla exists in /foo/bla/a/.htaccess
GET /foo/ HTTP/1.0
succeeds.

however if there is no SetEnv in /foo/.htaccess
GET /foo/ HTTP/1.0
succeeds. /foo/.htaccess may contain other directives and remains unaffected.

this also only seems to apply if an index doesnt exist, ie mod_autoindex will
return a directory index.

this was tested under solaris 8, SUN cc:
cc: Sun WorkShop 6 update 1 C 5.2 2000/09/11

I have server configs, binaries and core files of this in action that I am able
to provide.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org