You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Adam Sussman <my...@vishnu.vidya.com> on 2001/12/29 02:24:45 UTC

[PATCH] mod_proxy truncates status line

Mod_proxy truncates the status line returned by the proxied
server.  One character gets snipped off of the end of the
status line.

-adam

Index: modules/proxy/proxy_http.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v
retrieving revision 1.114
diff -u -r1.114 proxy_http.c
--- proxy_http.c	19 Dec 2001 16:32:01 -0000	1.114
+++ proxy_http.c	29 Dec 2001 00:12:21 -0000
@@ -689,7 +689,7 @@
                             "server: ", buffer, NULL));
             }
             backasswards = 0;
-            buffer[--len] = '\0';
+            buffer[len] = '\0';
 
             buffer[12] = '\0';
             r->status = atoi(&buffer[9]);

Re: [PATCH] mod_proxy truncates status line

Posted by Graham Leggett <mi...@sharp.fm>.

Adam Sussman wrote:

> > Are you 100% sure the buffer is big enough to do this? If the buffer is
> > of size "len" the zero will be written past the end of the buffer.
> >
> 
> In the current code, "len" is strlen(buffer) so it can be safely assumed
> to be one less than the length of the buffer (provided of course that
> ap_proxy_string_read can be trusted).

The contents of a buffer can never be trusted though - this could be
exploited as an overflow and potentially an exploit.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight..."

Re: [PATCH] mod_proxy truncates status line

Posted by Bill Stoddard <bi...@wstoddard.com>.

> On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote:
> > Adam Sussman wrote:
> >
> > > Mod_proxy truncates the status line returned by the proxied
> > > server.  One character gets snipped off of the end of the
> > > status line.
> >
> > Are you 100% sure the buffer is big enough to do this? If the buffer is
> > of size "len" the zero will be written past the end of the buffer.
> >
>
> In the current code, "len" is strlen(buffer) ...

Which means that we can just remove the assignment entirely. buffer is already NULL
terminated else strlen would be blowing up. In fact, ap_proxy_string_read() NULL
terminates the returned buffer.

Bill

Re: [PATCH] mod_proxy truncates status line

Posted by Adam Sussman <my...@vishnu.vidya.com>.

On Sun, Dec 30, 2001 at 02:58:16PM +0200, Graham Leggett wrote:
> Adam Sussman wrote:
> 
> > Mod_proxy truncates the status line returned by the proxied
> > server.  One character gets snipped off of the end of the
> > status line.
> 
> Are you 100% sure the buffer is big enough to do this? If the buffer is
> of size "len" the zero will be written past the end of the buffer.
> 

In the current code, "len" is strlen(buffer) so it can be safely assumed
to be one less than the length of the buffer (provided of course that
ap_proxy_string_read can be trusted).

In any case, the specific setting of a null character in a way that truncates
valid data is not appropriate here.  Buffer and len must be sized appropriatly.
I believe that they are correct.

-adam


> > Index: modules/proxy/proxy_http.c
> > ===================================================================
> > RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v
> > retrieving revision 1.114
> > diff -u -r1.114 proxy_http.c
> > --- proxy_http.c        19 Dec 2001 16:32:01 -0000      1.114
> > +++ proxy_http.c        29 Dec 2001 00:12:21 -0000
> > @@ -689,7 +689,7 @@
> >                              "server: ", buffer, NULL));
> >              }
> >              backasswards = 0;
> > -            buffer[--len] = '\0';
> > +            buffer[len] = '\0';
> > 
> >              buffer[12] = '\0';
> >              r->status = atoi(&buffer[9]);
> 
> Regards,
> Graham
> -- 
> -----------------------------------------
> minfrin@sharp.fm		"There's a moon
> 					over Bourbon Street
> 						tonight..."


-- 

	"I believe in Kadath in the cold waste, and Ultima Thule. But you
	 cannot prove to me that Harvard Law School actually exists."
			- Theodora Goss

	"I'm not like that, I have a cat, I don't need you.. My cat, and
	 about 18 lines of bourne shell code replace you in life."
			- anonymous


Adam Sussman    
Vidya Media Ventures

asussman@vidya.com

Re: [PATCH] mod_proxy truncates status line

Posted by Graham Leggett <mi...@sharp.fm>.

Adam Sussman wrote:

> Mod_proxy truncates the status line returned by the proxied
> server.  One character gets snipped off of the end of the
> status line.

Are you 100% sure the buffer is big enough to do this? If the buffer is
of size "len" the zero will be written past the end of the buffer.

> Index: modules/proxy/proxy_http.c
> ===================================================================
> RCS file: /home/cvspublic/httpd-2.0/modules/proxy/proxy_http.c,v
> retrieving revision 1.114
> diff -u -r1.114 proxy_http.c
> --- proxy_http.c        19 Dec 2001 16:32:01 -0000      1.114
> +++ proxy_http.c        29 Dec 2001 00:12:21 -0000
> @@ -689,7 +689,7 @@
>                              "server: ", buffer, NULL));
>              }
>              backasswards = 0;
> -            buffer[--len] = '\0';
> +            buffer[len] = '\0';
> 
>              buffer[12] = '\0';
>              r->status = atoi(&buffer[9]);

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight..."