httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r543515 - in /httpd/httpd/trunk: CHANGES modules/cache/mod_mem_cache.c
Date Fri, 01 Jun 2007 20:55:10 GMT


On 06/01/2007 05:50 PM, covener@apache.org wrote:
> Author: covener
> Date: Fri Jun  1 08:50:12 2007
> New Revision: 543515
> 
> URL: http://svn.apache.org/viewvc?view=rev&rev=543515
> Log:
> SECURITY: CVE-2007-1862 (cve.mitre.org)
> mod_mem_cache: Copy headers into longer lived storage; header names and
> values could previously point to cleaned up storage
> 
> PR: 41551
> Submitted by: Davi Arnaut <davi haxent.com.br>
> Reviewed by: covener
> 
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/cache/mod_mem_cache.c
> 

> 
> Modified: httpd/httpd/trunk/modules/cache/mod_mem_cache.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/cache/mod_mem_cache.c?view=diff&rev=543515&r1=543514&r2=543515
> ==============================================================================
> --- httpd/httpd/trunk/modules/cache/mod_mem_cache.c (original)
> +++ httpd/httpd/trunk/modules/cache/mod_mem_cache.c Fri Jun  1 08:50:12 2007
> @@ -539,12 +539,28 @@
>      return OK;
>  }
>  
> +static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table)
> +{
> +    const apr_array_header_t *array = apr_table_elts(table);
> +    apr_table_entry_t *elts = (apr_table_entry_t *) array->elts;
> +    apr_table_t *copy = apr_table_make(p, array->nelts);
> +    int i;
> +
> +    for (i = 0; i < array->nelts; i++) {
> +        if (elts[i].key) {  
> +            apr_table_add(copy, elts[i].key, elts[i].val);
> +        }
> +    }
> +
> +    return copy;
> +}
> +
>  static apr_status_t recall_headers(cache_handle_t *h, request_rec *r)
>  {
>      mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj;
>  
> -    h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs);
> -    h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out);
> +    h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs);
> +    h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out);

Just curious: Why is this needed? The live time of the mobj->pool pool should be longer
then that of the r->pool pool (which should be ensured by the refcount stuff, which would
be broken otherwise).
Of course not doing a deep_table_copy can cause trouble afterwards with APR_POOL_DEBUG
set as mobj->pool does not seem to be an ancestor of r->pool. Is this the reason
for this copy operation?

Regards

RĂ¼diger


Mime
View raw message