httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject mod_rewrite/1234: Improper statck variable initialization in mod_rewrite (fwd)
Date Wed, 22 Oct 1997 00:49:37 GMT
Anyone?  I stared at this for about an hour, and I couldn't reconstruct in
my head how this patch would be needed.  In any event the patch isn't
portable so we can't use it.  But if someone can figure this one out it's
worth some guru points I'd say.  IRIX boxes use spencer's regex, so if
this is a bug on IRIX it'll be a bug lots of places.

I've included a patch from myself down below which removes some manifest
constants in mod_rewrite.  It shouldn't change behaviour (or fix the bug). 

Dean

---------- Forwarded message ----------
Date: 15 Oct 1997 21:54:12 -0000
From: Wei Hu <wei_hu@sgi.com>
To: apbugs@hyperreal.org
Subject: mod_rewrite/1234: Improper statck variable initialization in mod_rewrite


>Number:         1234
>Category:       mod_rewrite
>Synopsis:       Improper statck variable initialization in mod_rewrite
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Oct 15 15:20:01 PDT 1997
>Last-Modified:
>Originator:     wei_hu@sgi.com
>Organization:
apache
>Release:        1.1 up to 1.2.4
>Environment:
SGI IRIX 6.2 6.3 6.4

I believe the problem is platform-independent
>Description:
> In file mod_rewrite.c
> 
> static int apply_rewrite_rule(request_rec *r, rewriterule_entry *p, char
> *perdir)
> {
>     char *uri;
>     char *output;
>     int flags;
>     char newuri[MAX_STRING_LEN];
>     char port[32];
>     regex_t *regexp;
>     regmatch_t regmatch[10];		<====
> 
> should be changed to:
> 
>      regmatch_t regmatch[10] = {0,0};
> 
> Otherwise, you get random garbage off the stack.


We find that the server would segv under some conditions, depending
on what happened to be on the stack.
>How-To-Repeat:

>Fix:
see above
>Audit-Trail:
>Unformatted:

----- from dean -----

Index: mod_rewrite.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_rewrite.c,v
retrieving revision 1.53
diff -u -r1.53 mod_rewrite.c
--- mod_rewrite.c	1997/10/07 05:27:31	1.53
+++ mod_rewrite.c	1997/10/22 00:44:58
@@ -233,11 +233,14 @@
     /* whether proxy module is available or not */
 static int proxy_available;
 
+    /* maximum nmatch parameter for regexec */
+#define MAX_NMATCH	(10)
+
     /* the txt mapfile parsing stuff */
 #define MAPFILE_PATTERN "^([^ \t]+)[ \t]+([^ \t]+).*$"
 #define MAPFILE_OUTPUT "$1,$2"
 static regex_t   *lookup_map_txtfile_regexp = NULL;
-static regmatch_t lookup_map_txtfile_regmatch[10];
+static regmatch_t lookup_map_txtfile_regmatch[MAX_NMATCH];
 
 
 /*
@@ -1541,7 +1544,7 @@
     char env[MAX_STRING_LEN];
     char port[32];
     regex_t *regexp;
-    regmatch_t regmatch[10];
+    regmatch_t regmatch[MAX_NMATCH];
     backrefinfo *briRR = NULL;
     backrefinfo *briRC = NULL;
     int prefixstrip;
@@ -1594,7 +1597,7 @@
             briRR->source = pstrdup(r->pool, uri);
             briRR->nsub   = regexp->re_nsub;
             memcpy((void *)(briRR->regmatch), (void *)(regmatch),
-                   sizeof(regmatch_t)*10);
+                   sizeof(regmatch));
         }
 
         /* create the RewriteCond backrefinfo, but
@@ -1834,7 +1837,7 @@
     char input[MAX_STRING_LEN];
     struct stat sb;
     request_rec *rsub;
-    regmatch_t regmatch[10];
+    regmatch_t regmatch[MAX_NMATCH];
     int rc;
 
     /*
@@ -1953,7 +1956,7 @@
             briRC->source = pstrdup(r->pool, input);
             briRC->nsub   = p->regexp->re_nsub;
             memcpy((void *)(briRC->regmatch), (void *)(regmatch),
-                   sizeof(regmatch_t)*10);
+                   sizeof(regmatch));
         }
     }
 



Mime
View raw message