httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 18170] New: - Memory allocation for wrapped HTTP header is incorrect
Date Wed, 19 Mar 2003 22:50:49 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18170>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18170

Memory allocation for wrapped HTTP header is incorrect

           Summary: Memory allocation for wrapped HTTP header is incorrect
           Product: Apache httpd-2.0
           Version: 2.0.44
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Blocker
          Priority: Other
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: PeterMayne@ap.spherion.com


This error is in httpd-2.0.44/server/protocol.c, in ap_get_mime_headers_core().
It appears to be non-platform and non-OS specific.

When sending a request of the form

GET /examples/servlet/RequestHeaderExample HTTP/1.0
Content-Type: multipart/related; type="text/xml";
        boundary="----=_Part_9_24374438.1048047839137"
SOAPAction: ebXML
Host: chmeee
...

where the header is wrapped, and is a multiple of eight bytes long when
unwrapped (as in the Content-Type header here, which has a trailing space on the
first line and a leading TAB on the second line), the code appends the second
line to the first line. However, the memory allocation does not allow for the
trailing '\0' in the new string, so one less byte is allocated than should be.

When the next header is read, and memory is allocated for it, it therefore
overwrites the '\0' at the end of the Content-Type value, making it become

multipart/related; type="text/xml"; 
    boundary="----=_Part_9_24374438.1048047839137"SOAPAction

Because apr_palloc allocates memory in sizes of multiples of 8 (see
APR_ALIGN_DEFAULT), this bug does not show up if the wrapped value is not a
multiple of 8, since the padding provides space for the trailing '\0'.

This bug cannot be worked around, since the headers in this case are generated
by Sun's SAAJ classes and cannot be modified to avoid triggering this bug, hence
the "blocker" severity.

Tested patch:
$ diff original-protocol.c httpd-2.0.44/server/protocol.c
807,808c807,808
<                     if (last_len + len > alloc_len) {
<                         alloc_len = last_len + len;
---
>                     if (last_len + len + 1 > alloc_len) {
>                         alloc_len = last_len + len + 1;

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message