httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Meyering <...@meyering.net>
Subject Re: [PATCH] don't corrupt heap upon empty response from OCSP server
Date Fri, 06 Jul 2012 08:07:21 GMT
Joe Orton wrote:
> Hi Jim,
>
> On Thu, Jul 05, 2012 at 01:49:25PM +0200, Jim Meyering wrote:
>> This is my first httpd patch/report.
>> If you'd prefer that it go to a BZ or a different list, just let me know.
>
> This is fine!
>
>> I found this by inspection: it appears that line[-1] (the heap) can be
>> corrupted.  Is it possible for len to be 0 at that point?  It looks like
>> it, since the preceding block guards against the len == 0 case.
>> However, I have not tried to trigger the flaw.
>
> Interesting.  Are you using static analysis tools to find these?

No.  In this case I used grep with visual inspection.

> I'm not sure it would be possible for apr_brigade_split_line() to find a
> zero-length string without error, but certainly the code is wrong.
...
> See docs/log-message-tags/ for reference here, keeping the existing
> number is correct.  Thanks for the patch, committed:
>
> http://svn.apache.org/viewvc?view=revision&revision=1358061

Thanks!

Mime
View raw message