You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Mike Rumph <mi...@oracle.com> on 2013/08/05 20:11:16 UTC
[PATCH 55360] Potential buffer overflows in support/ab
Hello all,
A comment section in support/ab.c lists the following known problems:
/*
* BUGS:
*
* - uses strcpy/etc.
* - has various other poor buffer attacks related to the lazy parsing of
* response headers from the server
* - doesn't implement much of HTTP/1.x, only accepts certain forms of
* responses
* - (performance problem) heavy use of strstr shows up top in profile
* only an issue for loopback usage
*/
I was able to duplicate segmentation faults through the T and X command
line options.
I submitted a patch to fix potential buffer overflows through these options.
- https://issues.apache.org/bugzilla/show_bug.cgi?id=55360
The patch also removes 2 unreferenced fixed length buffers.
support/ab.c also contains 3 additional fixed length buffers that could
potentially overflow:
- servername, buffer and _request
Fixing these problems will require a deeper understanding of the code.
Please, consider the submitted patch for adoption.
Thanks,
Mike Rumph
Re: [PATCH 55360] Potential buffer overflows in support/ab
Posted by Jeff Trawick <tr...@gmail.com>.
On Mon, Aug 5, 2013 at 4:10 PM, Jeff Trawick <tr...@gmail.com> wrote:
> On Mon, Aug 5, 2013 at 2:11 PM, Mike Rumph <mi...@oracle.com> wrote:
>
>> Hello all,
>>
>> A comment section in support/ab.c lists the following known problems:
>>
>> /*
>> * BUGS:
>> *
>> * - uses strcpy/etc.
>> * - has various other poor buffer attacks related to the lazy parsing of
>> * response headers from the server
>> * - doesn't implement much of HTTP/1.x, only accepts certain forms of
>> * responses
>> * - (performance problem) heavy use of strstr shows up top in profile
>> * only an issue for loopback usage
>> */
>>
>> I was able to duplicate segmentation faults through the T and X command
>> line options.
>>
>> I submitted a patch to fix potential buffer overflows through these
>> options.
>> - https://issues.apache.org/**bugzilla/show_bug.cgi?id=55360<https://issues.apache.org/bugzilla/show_bug.cgi?id=55360>
>>
>> The patch also removes 2 unreferenced fixed length buffers.
>>
>> support/ab.c also contains 3 additional fixed length buffers that could
>> potentially overflow:
>> - servername, buffer and _request
>>
>> Fixing these problems will require a deeper understanding of the code.
>>
>> Please, consider the submitted patch for adoption.
>>
>
>
> The patch looks fine in an initial glance. I anticipate committing it
> today after eyeballing it a bit more. (Or else I'll speak up.)
>
This is now in trunk as r1510707; I'll nominate for inclusion in 2.4.next
shortly.
> Thanks,
>
> Jeff
>
>
>>
>> Thanks,
>>
>> Mike Rumph
>>
>>
>>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: [PATCH 55360] Potential buffer overflows in support/ab
Posted by Jeff Trawick <tr...@gmail.com>.
On Mon, Aug 5, 2013 at 2:11 PM, Mike Rumph <mi...@oracle.com> wrote:
> Hello all,
>
> A comment section in support/ab.c lists the following known problems:
>
> /*
> * BUGS:
> *
> * - uses strcpy/etc.
> * - has various other poor buffer attacks related to the lazy parsing of
> * response headers from the server
> * - doesn't implement much of HTTP/1.x, only accepts certain forms of
> * responses
> * - (performance problem) heavy use of strstr shows up top in profile
> * only an issue for loopback usage
> */
>
> I was able to duplicate segmentation faults through the T and X command
> line options.
>
> I submitted a patch to fix potential buffer overflows through these
> options.
> - https://issues.apache.org/**bugzilla/show_bug.cgi?id=55360<https://issues.apache.org/bugzilla/show_bug.cgi?id=55360>
>
> The patch also removes 2 unreferenced fixed length buffers.
>
> support/ab.c also contains 3 additional fixed length buffers that could
> potentially overflow:
> - servername, buffer and _request
>
> Fixing these problems will require a deeper understanding of the code.
>
> Please, consider the submitted patch for adoption.
>
The patch looks fine in an initial glance. I anticipate committing it
today after eyeballing it a bit more. (Or else I'll speak up.)
Thanks,
Jeff
>
> Thanks,
>
> Mike Rumph
>
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/