httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: AW: problems with ssl in balance/proxy mode
Date Wed, 30 Nov 2005 22:54:19 GMT


On 11/30/2005 11:53 AM, Matthias Behrens wrote:
> thx
> 
> this seems to be the proper fix, but
> how do i apply it? which tool do i need for patching the sourcecode?
> 
> sorry for asking such newby questions. i am new to opensourcedevelopment.

Ok. Let me summarize: You found the reason for the problem (which was really not easy in this
case)
but you do not know how to apply a patch to the source code. You are using Outlook for your
mail
and www.gulp.de runs on a Windows version of httpd. So you must be a Windows developer :-).
Jokes aside. I am working on Unix where patches are applied with patch / gpatch. I really
do not
know how to do this on Windows, except with cygwin :-). So some Windows developers to the
rescue please!

> 
> alos: can u tell me if my way of fixing the problem was wrong and why? 
> what is it with brigades and buckets anyway?

Please have a look at http://www.apachetutor.org/dev/brigades

> they seem to be pretty unrelieable since it is possible to make a bucket that contains
a pointer to your local char variable and pass it to another function which gives the pointer
to another bucket in another brigade! 
> thats very dangerous - especially since the guy who programmed the code responsible for
this bug, used the proper functions which indicate proper use of his data.

[..cut..]

No, this is neither unreliable nor really dangerous provided that you have a better knowledge
of the concept of brigades
and buckets. Brigades and buckets are passed thru filter chains. The filters do whatever work
needs to be done (maybe
even no work at all) on the buckets and pass them to the next filter in the chain. In the
case of output filters they
get finally written to the client, in the case of input filters they normally get consumed
by the handler. From the call
stack perspective the whole filter chain is done during one pass so pointers to local variables
of functions deeper in
the call stack are still valid.
Sometimes a filter cannot work on the data contained in the buckets right now during this
call, but it can do on one
of the next calls to it when the unconsumed buckets fly by again. In this case the filter
typically sets these buckets
"aside". For (nearly?) all bucket types there is a setaside operation defined to do just that.
In the case of a
transient bucket the bucket is transformed into a heap bucket, which means that the data from
the transient buffer
(local char in our case) is copied to a buffer on the heap and thus is still valid (provided
the pool from which the
heap buffer was aquired survived) during the next call of the filter.

The problem you faced here, was caused by the situation that mod_proxy did not set aside the
buckets it did not want to
work on immediately (it tries to get "enough" data to make a good and safe decision on how
to handle
request bodies regarding content-length and transfer-encoding: chunked. See also "CVE-2005-2088"
on
http://httpd.apache.org/security/vulnerabilities_20.html).

Regards

RĂ¼diger

Mime
View raw message