httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aryeh Katz <ar...@secured-services.com>
Subject Re: buffer overflow in ab.c
Date Thu, 04 Mar 2004 19:05:41 GMT
Sander Temme wrote:

>>One more thing.
>>Can someone explain this SSL bit for me?
>>This seems to be an uninit var invocation for pollresults?
>>
>>      const apr_pollfd_t *pollresults;
>>-snip
>>       if (ssl == 1)
>>           status = APR_SUCCESS;
>>       else
>>#endif
>>status = apr_pollset_poll(readbits, aprtimeout, &n, &pollresults);
> 
> 
> You mean this one? You're passing the pointer by reference, so
> apr_pollset_poll() can fill it in. It should return a valid array of n
> apr_pollfd_t structures.
> 
I see that my snipping was too effective :).
Actually, this was bug 19271, which I've submitted a patch for.
In the ssl case, pollresults was never initialized, and we'd then try to 
set next_fd to the value of pollresults[i], which causes ab to crash.
Aryeh
> S.
> 


-- 
Aryeh Katz
SecureD Services
http://www.secured-services.com/
410 653 0700 x 2


Mime
View raw message