www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Taketo Kabe <k...@sra-tohoku.co.jp>
Subject mod_userdir/7271: dereferencing NULL pointer in mod_userdir.c
Date Mon, 19 Feb 2001 03:40:57 GMT

>Number:         7271
>Category:       mod_userdir
>Synopsis:       dereferencing NULL pointer in mod_userdir.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Feb 18 19:50:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     kabe@sra-tohoku.co.jp
>Release:        httpd-2_0_11-alpha
>Organization:
apache
>Environment:
SunOS 5.8 Generic_108528-05 sun4u sparc SUNW,Ultra-60
gcc version 2.95.2 19991024 (release)
>Description:
modules/mappers/mod_userdir.c:get_suexec_id_doer()
references members of struct passwd pw without calling getpwnam(),
so causes a coredump when CGI is invoked.

>How-To-Repeat:
configure --enable-cgi --disable-cgid (yes, no cgid)
and make the server invoke CGI several times.
The child httpd will coredump on first couple of tries.
>Fix:
Just adding getpwnam() is easy but I'm not convinced enough to
make this MT-safe.

diff -u httpd-2_0_11-alpha/modules/mappers/mod_userdir.c.dist httpd-2_0_11-alpha/modules/mappers/mod_userdir.c
--- httpd-2_0_11-alpha/modules/mappers/mod_userdir.c.dist	Sat Feb 10 23:04:20 2001
+++ httpd-2_0_11-alpha/modules/mappers/mod_userdir.c	Mon Feb 19 12:21:42 2001
@@ -375,6 +375,9 @@
     if (username == NULL) {
         return NULL;
     }
+    if ((pw = getpwnam(username)) == NULL) {	/*XXX MT unsafe*/
+	return NULL;
+    }
 
     if ((ugid = apr_palloc(r->pool, sizeof(ap_unix_identity_t *))) == NULL) {
         return NULL;
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message