You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@axis.apache.org by "Ralph Loader (JIRA)" <ji...@apache.org> on 2013/07/06 01:09:50 UTC

[jira] [Commented] (AXIS2C-1644) Buffer overflow in axis2_simple_http_svr_conn_write_response()

    [ https://issues.apache.org/jira/browse/AXIS2C-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13701169#comment-13701169 ] 

Ralph Loader commented on AXIS2C-1644:
--------------------------------------

Reproduced with svn trunk rev 1500135

==19764== Thread 2:
==19764== Invalid write of size 1
==19764==    at 0x4E3EDAE: axis2_simple_http_svr_conn_write_response (simple_http_svr_conn.c:287)
==19764==    by 0x4E4051B: axis2_http_worker_process_request (http_worker.c:1773)
==19764==    by 0x5D6B4EE: axis2_svr_thread_worker_func (http_svr_thread.c:270)
==19764==    by 0x6185C52: start_thread (in /usr/lib64/libpthread-2.17.so)
==19764==    by 0x68A913C: clone (in /usr/lib64/libc-2.17.so)
==19764==  Address 0x6cfdd40 is 0 bytes after a block of size 2,048 alloc'd
==19764==    at 0x4C28409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19764==    by 0x528AE9A: axutil_stream_create_basic (stream.c:238)
==19764==    by 0x4E3F41D: axis2_http_worker_process_request (http_worker.c:116)
==19764==    by 0x5D6B4EE: axis2_svr_thread_worker_func (http_svr_thread.c:270)
==19764==    by 0x6185C52: start_thread (in /usr/lib64/libpthread-2.17.so)
==19764==    by 0x68A913C: clone (in /usr/lib64/libc-2.17.so)
==19764== 

                
> Buffer overflow in axis2_simple_http_svr_conn_write_response()
> --------------------------------------------------------------
>
>                 Key: AXIS2C-1644
>                 URL: https://issues.apache.org/jira/browse/AXIS2C-1644
>             Project: Axis2-C
>          Issue Type: Bug
>          Components: transport/http
>    Affects Versions: 1.6.0
>            Reporter: Ralph Loader
>              Labels: security
>
> Valgrind found a heap buffer overflow by a single byte in [a slightly modified] axis2-c 1.6.0.
> Out of caution, I am marking this as a security issue, although I am uncertain as to how practical it would be to exploit.
> Looking at the source code, I believe that the issue still exists in svn trunk, and that my local modifications are not related to the buffer overflow. I have not tested that belief beyond reading the source code.
> The issue is that the addition of a single terminating NUL character in axis2_simple_http_svr_conn_write_response() is not guarded by a check for available space:
>         response_body[body_size] = AXIS2_ESC_NULL;
> (line 287 of simple_http_svr_conn.c in subversion trunk rev 1496107).
> Here is the original valgrind output; although the line numbers are completely different, I do not believe that the underlying logic is different between my version and the svn trunk version.
> ==18852== Invalid write of size 1
> ==18852==    at 0x56B8BD0: axis2_simple_http_svr_conn_write_response (simple_http_svr_conn.c:543)
> ==18852==    by 0x56BD2B0: axis2_http_worker_process_request (http_worker.c:1970)
> ==18852==    by 0x5D728AD: axis2_svr_thread_worker_func (http_svr_thread.c:265)
> ==18852==    by 0x5D72666: axis2_http_svr_thread_run (http_svr_thread.c:164)
> ==18852==    by 0x5D72025: axis2_http_server_start (http_receiver.c:298)
> ==18852==    by 0x58E9F9D: axis2_transport_receiver_start (transport_receiver.c:45)
> ==18852==    by 0x411220: main (http_server_main.c:223)
> ==18852==  Address 0x6ec3990 is 0 bytes after a block of size 2,048 alloc'd
> ==18852==    at 0x4C228B8: malloc (vg_replace_malloc.c:270)
> ==18852==    by 0x54853BF: axutil_allocator_malloc_impl (allocator.c:75)
> ==18852==    by 0x5487245: axutil_stream_create_basic (stream.c:247)
> ==18852==    by 0x56B908B: axis2_http_worker_process_request (http_worker.c:118)
> ==18852==    by 0x5D728AD: axis2_svr_thread_worker_func (http_svr_thread.c:265)
> ==18852==    by 0x5D72666: axis2_http_svr_thread_run (http_svr_thread.c:164)
> ==18852==    by 0x5D72025: axis2_http_server_start (http_receiver.c:298)
> ==18852==    by 0x58E9F9D: axis2_transport_receiver_start (transport_receiver.c:45)
> ==18852==    by 0x411220: main (http_server_main.c:223)
> Incidently, it may just have been luck, but this showed up immediately the first time I tried axis2c under valgrind. That suggests to me that the axis2c developers have not been regularly running their code under valgrind. Can I humbly suggest that they may wish to consider doing that?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: c-dev-help@axis.apache.org