You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/03/19 23:50:49 UTC

DO NOT REPLY [Bug 18170] New: - Memory allocation for wrapped HTTP header is incorrect

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18170>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18170

Memory allocation for wrapped HTTP header is incorrect

           Summary: Memory allocation for wrapped HTTP header is incorrect
           Product: Apache httpd-2.0
           Version: 2.0.44
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Blocker
          Priority: Other
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: PeterMayne@ap.spherion.com


This error is in httpd-2.0.44/server/protocol.c, in ap_get_mime_headers_core().
It appears to be non-platform and non-OS specific.

When sending a request of the form

GET /examples/servlet/RequestHeaderExample HTTP/1.0
Content-Type: multipart/related; type="text/xml";
        boundary="----=_Part_9_24374438.1048047839137"
SOAPAction: ebXML
Host: chmeee
...

where the header is wrapped, and is a multiple of eight bytes long when
unwrapped (as in the Content-Type header here, which has a trailing space on the
first line and a leading TAB on the second line), the code appends the second
line to the first line. However, the memory allocation does not allow for the
trailing '\0' in the new string, so one less byte is allocated than should be.

When the next header is read, and memory is allocated for it, it therefore
overwrites the '\0' at the end of the Content-Type value, making it become

multipart/related; type="text/xml"; 
    boundary="----=_Part_9_24374438.1048047839137"SOAPAction

Because apr_palloc allocates memory in sizes of multiples of 8 (see
APR_ALIGN_DEFAULT), this bug does not show up if the wrapped value is not a
multiple of 8, since the padding provides space for the trailing '\0'.

This bug cannot be worked around, since the headers in this case are generated
by Sun's SAAJ classes and cannot be modified to avoid triggering this bug, hence
the "blocker" severity.

Tested patch:
$ diff original-protocol.c httpd-2.0.44/server/protocol.c
807,808c807,808
<                     if (last_len + len > alloc_len) {
<                         alloc_len = last_len + len;
---
>                     if (last_len + len + 1 > alloc_len) {
>                         alloc_len = last_len + len + 1;

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org