httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilt, Paul" <pw...@xanedu.com>
Subject RE: [PATCH] Re: apache-1.3.20 segfault?
Date Fri, 21 Sep 2001 11:57:46 GMT
Dean:

Cool!  We have been experiencing this exact core dump scenario
with the NIMDA worm.  We are using Apache 1.3.12 (don't ask!) and
I poked around in the core files and saw the line of code you
patched.  I was going to get around to fixing it but have been
been pegged with other work recently.  Kudos to you!

Paul E Wilt 
Principal Software Engineer
__________________________________________________________________
XanEdu, Inc. (division of Proquest Information and Learning)
http://www.xanedu.com  mailto:pwilt@XanEdu.com 
300 North Zeeb Rd      Phone: (734) 302-6545  (800) 218-5971 x6545
Ann Arbor, MI 48106    Fax:   (734) 975-6440
__________________________________________________________________



-----Original Message-----
From: dean@arctic.org [mailto:dean@arctic.org] 
Sent: Thursday, September 20, 2001 10:17 PM
To: dev@httpd.apache.org
Subject: [PATCH] Re: apache-1.3.20 segfault?


On Thu, 20 Sep 2001, dean gaudet wrote:

> hrm, is the segfault described below a known bug?  (i haven't tried it...)
>
> -dean
>
> ---------- Forwarded message ----------
> From: Jeff Moe <tux@themoes.org>
> To: tux-list@redhat.com
> Subject: Re: Serous TUX 2.4.9-J5 problem
>
> Apache 1.3.20 (and presumably earlier) has a similar bug. I noticed this
> during the recent worming. It may be related to Tux's problem. Here's how
to
> reproduce it in Apache:
>
> 1) You need to redirect 404s to a 404 document:
> ErrorDocument 404 /fourofour.shtml
> 2) You need be parsing that file:
> AddHandler server-parsed .shtml
> 3) You need to send it a request like:
> http://server.com/test%2fing
>
> Apache will Segfault and you'll get a "Document returned no data error" in
> the browser.
>
> -Jeff

yeah this segfault occurs with 1.3.20 and top of 1.3, but it appears you
need something like:

<!--#include virtual="file" -->

in the fourofour.shtml.

patch below fixes it.  however i'm not so sure it's exactly the right
fix... but there appear to be other examples where we test if filename !=
NULL.  (boy am i rusty in apache code.)

this bug has probably been here forever... i can't imagine any way to
exploit it.

-dean

Index: include/httpd.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
retrieving revision 1.344
diff -u -r1.344 httpd.h
--- include/httpd.h	2001/08/13 17:09:42	1.344
+++ include/httpd.h	2001/09/21 02:09:27
@@ -806,7 +806,7 @@

     char *unparsed_uri;		/* the uri without any parsing
performed */
     char *uri;			/* the path portion of the URI */
-    char *filename;
+    char *filename;		/* filename if found, otherwise NULL */
     char *path_info;
     char *args;			/* QUERY_ARGS, if any */
     struct stat finfo;		/* ST_MODE set to zero if no such file */
Index: modules/standard/mod_include.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
retrieving revision 1.129
diff -u -r1.129 mod_include.c
--- modules/standard/mod_include.c	2001/07/13 19:45:52	1.129
+++ modules/standard/mod_include.c	2001/09/21 02:09:27
@@ -718,7 +718,7 @@
                 for (p = r; p != NULL && !founddupe; p = p->main) {
 		    request_rec *q;
 		    for (q = p; q != NULL; q = q->prev) {
-			if ( (strcmp(q->filename, rr->filename) == 0) ||
+			if ( (q->filename && strcmp(q->filename,
rr->filename) == 0) ||
 			     (strcmp(q->uri, rr->uri) == 0) ){
 			    founddupe = 1;
 			    break;


Mime
View raw message