httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ras...@mail1.bellglobal.com
Subject Buffer read overflow
Date Thu, 12 Dec 1996 20:09:00 GMT
I think we are going off the end of a buffer here.  The following is from
Insure++ running on a Solaris 2.5 box.  mod_proxy is compiled in, and the
following was triggered by a proxy request.  Doesn't look like it is
proxy specific though.  Looks like a general problem with calling bvputs
with a non-null terminated string.  strlen(x) goes too far and the second
problem in bwrite happens as a result.  I don't have a patch yet.  I am
still trying to make sense of it.  Perhaps Insure++ is on drugs on this one.

[buff.c:708] **READ_OVERFLOW**
>>         j = strlen(x);

  String is not null terminated within range: <argument 1>

  Reading   : 0x002aa94a
  From block: 0x002aa208 thru 0x002ac217 (8208 bytes)
             block allocated at:
                          malloc()  (interface)
                    malloc_block()  alloc.c, 107
                       new_block()  alloc.c, 204
                   make_sub_pool()  alloc.c, 269
                            main()  http_main.c, 1938

  Stack trace where the error occurred:
                          strlen()  (interface)
                          bvputs()  buff.c, 708
             send_error_response()  http_protocol.c, 1476
                             die()  http_request.c, 756
                        decl_die()  http_request.c, 769
        process_request_internal()  http_request.c, 840
                 process_request()  http_request.c, 925
                      child_main()  http_main.c, 1559
                      make_child()  http_main.c, 1623
                 standalone_main()  http_main.c, 1872
                            main()  http_main.c, 1981

[buff.c:599] **READ_OVERFLOW**
>>     if (nbyte > 0) memcpy(fb->outbase, buf, nbyte);

  Reading overflows memory: <argument 2>

          bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
          |            5828            |   2380    | 4 |
                                       rrrrrrrrrrrrrrrrr

   Reading    (r) : 0x002ab8cc thru 0x002ac21b (2384 bytes)
   From block (b) : 0x002aa208 thru 0x002ac217 (8208 bytes)
                   block allocated at:
                          malloc()  (interface)
                    malloc_block()  alloc.c, 107
                       new_block()  alloc.c, 204
                   make_sub_pool()  alloc.c, 269
                            main()  http_main.c, 1938

  Stack trace where the error occurred:
                          memcpy()  (interface)
                          bwrite()  buff.c, 599
                          bvputs()  buff.c, 709
             send_error_response()  http_protocol.c, 1476
                             die()  http_request.c, 756
                        decl_die()  http_request.c, 769
        process_request_internal()  http_request.c, 840
                 process_request()  http_request.c, 925
                      child_main()  http_main.c, 1559
                      make_child()  http_main.c, 1623
                 standalone_main()  http_main.c, 1872
                            main()  http_main.c, 1981

-Rasmus

Mime
View raw message