Return-Path: Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 92819 invoked by uid 500); 19 Mar 2003 22:49:00 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 92808 invoked from network); 19 Mar 2003 22:49:00 -0000 Date: 19 Mar 2003 22:50:49 -0000 Message-ID: <20030319225049.26128.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 18170] New: - Memory allocation for wrapped HTTP header is incorrect X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18170 Memory allocation for wrapped HTTP header is incorrect Summary: Memory allocation for wrapped HTTP header is incorrect Product: Apache httpd-2.0 Version: 2.0.44 Platform: PC OS/Version: Windows XP Status: NEW Severity: Blocker Priority: Other Component: Core AssignedTo: bugs@httpd.apache.org ReportedBy: PeterMayne@ap.spherion.com This error is in httpd-2.0.44/server/protocol.c, in ap_get_mime_headers_core(). It appears to be non-platform and non-OS specific. When sending a request of the form GET /examples/servlet/RequestHeaderExample HTTP/1.0 Content-Type: multipart/related; type="text/xml"; boundary="----=_Part_9_24374438.1048047839137" SOAPAction: ebXML Host: chmeee ... where the header is wrapped, and is a multiple of eight bytes long when unwrapped (as in the Content-Type header here, which has a trailing space on the first line and a leading TAB on the second line), the code appends the second line to the first line. However, the memory allocation does not allow for the trailing '\0' in the new string, so one less byte is allocated than should be. When the next header is read, and memory is allocated for it, it therefore overwrites the '\0' at the end of the Content-Type value, making it become multipart/related; type="text/xml"; boundary="----=_Part_9_24374438.1048047839137"SOAPAction Because apr_palloc allocates memory in sizes of multiples of 8 (see APR_ALIGN_DEFAULT), this bug does not show up if the wrapped value is not a multiple of 8, since the padding provides space for the trailing '\0'. This bug cannot be worked around, since the headers in this case are generated by Sun's SAAJ classes and cannot be modified to avoid triggering this bug, hence the "blocker" severity. Tested patch: $ diff original-protocol.c httpd-2.0.44/server/protocol.c 807,808c807,808 < if (last_len + len > alloc_len) { < alloc_len = last_len + len; --- > if (last_len + len + 1 > alloc_len) { > alloc_len = last_len + len + 1; --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org