httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [PATCH] don't corrupt heap upon empty response from OCSP server
Date Fri, 06 Jul 2012 07:43:46 GMT
Hi Jim,

On Thu, Jul 05, 2012 at 01:49:25PM +0200, Jim Meyering wrote:
> This is my first httpd patch/report.
> If you'd prefer that it go to a BZ or a different list, just let me know.

This is fine!

> I found this by inspection: it appears that line[-1] (the heap) can be
> corrupted.  Is it possible for len to be 0 at that point?  It looks like
> it, since the preceding block guards against the len == 0 case.
> However, I have not tried to trigger the flaw.

Interesting.  Are you using static analysis tools to find these?

I'm not sure it would be possible for apr_brigade_split_line() to find a 
zero-length string without error, but certainly the code is wrong.

> A minor note:  From the documentation of APLOGNO, it was not clear
> whether I should change 01979, given that this patch changes its guard
> condition in such a small way, so I left it.  You may want to burn the
> 01979 and simply use a new number.
> Also, I didn't know of a recommended method for finding a number
> for the new diagnostic, so I did a quick and dirty:

See docs/log-message-tags/ for reference here, keeping the existing 
number is correct.  Thanks for the patch, committed:

Regards, Joe

View raw message