httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22915] New: - memcpy in apr_rmm_realloc may cause crash
Date Wed, 03 Sep 2003 22:16:50 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22915>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22915

memcpy in apr_rmm_realloc may cause crash

           Summary: memcpy in apr_rmm_realloc may cause crash
           Product: APR
           Version: HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: APR-util
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: shrauner@inktomi.com


The memcpy() at line 367 of apr_rmm_realloc which attempts to copy the old data
to the newly allocated memory region is copying the newly requested number of
bytes from the old region, which means if one uses realloc to grow a memory
region (presumably the more common case), then we would be reading past the end
of the old memory region.  In cases where the old region were too close to the
edge of the allocated shared memory, this would result in an attempt to read
outside the process's memory space and thus result in a crash.  The correct
number of bytes to copy is the min() of the requested size and the size of the
old buffer.

Here are diffs for a fix:

*** apr_rmm.c   21 Apr 2003 18:42:02 -0000      1.20
--- apr_rmm.c   3 Sep 2003 22:09:24 -0000
***************
*** 360,365 ****
--- 360,367 ----
  {
      apr_rmm_off_t this;
      apr_rmm_off_t old;
+     struct rmm_block_t *blk;
+     apr_size_t oldsize;
  
      if (!entity) {
          return apr_rmm_malloc(rmm, reqsize);
***************
*** 372,379 ****
          return this;
      }
  
      memcpy(apr_rmm_addr_get(rmm, this),
!            apr_rmm_addr_get(rmm, old), reqsize);
      apr_rmm_free(rmm, old);
  
      return this;
--- 374,384 ----
          return this;
      }
  
+     blk = (rmm_block_t*)((char*)rmm->base + old);
+     oldsize = blk->size;
+ 
      memcpy(apr_rmm_addr_get(rmm, this),
!            apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
      apr_rmm_free(rmm, old);
  
      return this;

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message