httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48359] Buffer overflow related to setting RequestHeader
Date Wed, 09 Dec 2009 17:46:51 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

--- Comment #1 from Nick Kew <nick@webthing.com> 2009-12-09 09:46:49 UTC ---
With reference to trunk, but I'm sure this applies also to 2.2 ...

A look at the code in question indicates that the use of r->pool causing the
issue is in function process_tags(), and could be fixed by a simple patch:

--- modules/metadata/mod_headers.c    (revision 888304)
+++ modules/metadata/mod_headers.c    (working copy)
@@ -551,6 +551,10 @@

     format_tag *tag = (format_tag*) hdr->ta->elts;

+    while (r->main != NULL) {
+        r = r->main;
+    }
+
     for (i = 0; i < hdr->ta->nelts; i++) {
         s = tag[i].func(r, tag[i].arg);
         if (str == NULL)

Does this make sense, or am I missing something?  Haven't checked the
implications of passing the parent to tags[i].func, FWIW.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message