httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49406] New: malformed FastCGI response may overwrite heap
Date Tue, 08 Jun 2010 17:59:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49406

           Summary: malformed FastCGI response may overwrite heap
           Product: Apache httpd-2
           Version: 2.2.15
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_fcgid
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ef-lists@email.de


Created an attachment (id=25551)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25551)
Patch for the bug described

mod_fcgid may overwrite heap data in some rare cases.

In fcgid_bucket.c (Revision 816972 - current trunk):
http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c?revision=816972&view=markup

The pointer arithmetic in line 99 should be bytewise but isn't. In the rare
case that "hasread" is != 0, the heap gets trashed, causing at least segfaults.

Found this by fuzzing.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message