You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/09/05 13:45:38 UTC
DO NOT REPLY [Bug 43310] New: - buffer overflow (1 byte) in ap_vrprintf()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
Summary: buffer overflow (1 byte) in ap_vrprintf()
Product: Apache httpd-2
Version: 2.2.4
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P4
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: zsunno@gmail.com
If entire output size of ap_vrprintf() is multiple of 8192(AP_IOBUFSIZE),
then vd.vbuff.curpos is equal to vd.vbuff.curend
and null terminator is written over the end of vrprintf_buf[].
In my machine, first byte of vd.vbuff.curpos is cleared to zero, and 3rd
parameter of output_buffer() is calcurated incorrectly.
tested on apache-2.2.4
========
step to reproduce the problem:
1) make sample module
$ apxs -g -n test
2) edit test_handler
/* The sample content handler */
static int test_handler(request_rec *r)
{
if (strcmp(r->handler, "test")) {
return DECLINED;
}
r->content_type = "text/html";
int n = atoi(r->args) ;
char * s = apr_pcalloc(r->pool, n+1) ;
memset(s, '1', n) ;
ap_rprintf(r, "%s", s) ;
return OK;
}
3) append to httpd.conf and apachectl start
LoadModule test_module modules/mod_test.so
<Location /test>
SetHandler test
</Location>
4) module output size test
$ N=8192 ; for ((i=$N-4; i<$N+4; i++)) ; do echo $i `curl -s localhost/test?$i
| wc -c` ; done
8188 8188
8189 8189
8190 8190
8191 8191
8192 8112 <-- expected size is 8192
8193 8193
8194 8194
8195 8195
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
------- Additional Comments From davi@apache.org 2007-11-12 19:04 -------
A patch for this issue was committed in revision 589461:
http://svn.apache.org/viewvc?rev=589461&view=rev
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
------- Additional Comments From zsunno@gmail.com 2007-09-05 04:52 -------
Created an attachment (id=20774)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20774&action=view)
Patch against httpd-2.2.4
null terminator is not used
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
serai@lans-tv.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|FixedInTrunk |
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
------- Additional Comments From basant.kukreja@sun.com 2007-09-07 20:31 -------
Created an attachment (id=20781)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20781&action=view)
Same patch against trunk.
Same patch as submitted by Sunho kim but patch is against trunk.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
jim@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jim@apache.org 2007-12-08 11:34 -------
In 2.2.7
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
serai@lans-tv.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
------- Additional Comments From serai@lans-tv.com 2007-11-24 22:11 -------
a backport proposal (2.2.x)
http://svn.apache.org/viewvc?view=rev&revision=589638
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43310] - buffer overflow (1 byte) in ap_vrprintf()
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310
basant.kukreja@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
------- Additional Comments From basant.kukreja@sun.com 2007-09-06 19:45 -------
I reviewed the patch. Patch looks ok to me. Here is the description of the bug
:
In ap_vrprintf, vrprintf_buf is a array allocated on stack of 8192 bytes.
ap_vrprintf invokes ap_vformatter to format the string. ap_vformatter prints
the data character by character, if buffer is overflowed, then it flushes the
data and reset the vdbuf.curpos to beginning of buffer.
If the size of the output is a multiplication of 8192 then after
ap_vformatter returns, vbuff.curpos just passes one byte after the allocated
value. (ap_vformatter himself doesn't write beyond the allocated buffer). We
can't write NULL to this value as it overflow the buffer.
For a request with /test/?8192, here is the debugger session :
Breakpoint 1, ap_vrprintf (r=0x91f6028, fmt=0xd137af "%s", va=0xb731d218
"(�M\t\005")
at protocol.c:1530
1530 vd.vbuff.curpos = vrprintf_buf;
(gdb) n
1531 vd.vbuff.endpos = vrprintf_buf + AP_IOBUFSIZE;
(gdb) n
1532 vd.r = r;
(gdb) n
1533 vd.buff = vrprintf_buf;
(gdb) n
1535 if (r->connection->aborted)
(gdb) n
1538 written = apr_vformatter(r_flush, &vd.vbuff, fmt, va);
(gdb) n
1541 *(vd.vbuff.curpos) = '\0';
(gdb) p vd.vbuff.curpos - vrprintf_buf
$1 = 8192
(gdb) p sizeof(vrprintf_buf)
$2 = 8192
(gdb)
This patch deletes the statement which sets the null value. This null value is
not used later in the function. buffer_output function flushes rest of the
data and it doesn't see the data beyond vdbuff.curpos. Also buffer_output
doesn't make any call which assumes NULL character at the end.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org