httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43310] New: - buffer overflow (1 byte) in ap_vrprintf()
Date Wed, 05 Sep 2007 11:45:38 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43310

           Summary: buffer overflow (1 byte) in ap_vrprintf()
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P4
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: zsunno@gmail.com


If entire output size of ap_vrprintf() is multiple of 8192(AP_IOBUFSIZE),
then vd.vbuff.curpos is equal to vd.vbuff.curend
and null terminator is written over the end of vrprintf_buf[].

In my machine, first byte of vd.vbuff.curpos is cleared to zero, and 3rd 
parameter of output_buffer() is calcurated incorrectly.

tested on apache-2.2.4
========
step to reproduce the problem:
1) make sample module
$ apxs -g -n test

2) edit test_handler
/* The sample content handler */
static int test_handler(request_rec *r)
{
    if (strcmp(r->handler, "test")) {
        return DECLINED;
    }
    r->content_type = "text/html";

    int n = atoi(r->args) ;
    char * s = apr_pcalloc(r->pool, n+1) ;
    memset(s, '1', n) ;
    ap_rprintf(r, "%s", s) ;

    return OK;
}

3) append to httpd.conf and apachectl start
LoadModule test_module modules/mod_test.so
<Location /test>
SetHandler test
</Location>

4) module output size test
$ N=8192 ; for ((i=$N-4; i<$N+4; i++)) ; do echo $i `curl -s localhost/test?$i 
| wc -c` ; done
8188 8188
8189 8189
8190 8190
8191 8191
8192 8112        <-- expected size is 8192
8193 8193
8194 8194
8195 8195

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message