>Number: 1987
>Category: mod_negotiation
>Synopsis: Apache dumps core when handling unacceptable variants
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Mar 24 12:00:01 PST 1998
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2.5
>Environment:
no need
>Description:
There's an error in is_variant_better_na() function in mod_negotiation.c.
If the first treated variant is unacceptable (first => best==NULL,bestq==0;
unacceptable => q==0), the test "if (q == bestq)" is true, and then
"best->charset_quality" makes SIGSEGV.
>How-To-Repeat:
The error occurs whenever e.g.:
the module is compiled with "#define TCN_02" uncommented
at the beggining of file mod_negotiation.c &&
the browser sends any Accept-* header &&
the request creates several variants (via multiviews) &&
but none of them is acceptable
>Fix:
Include the following test (marked with '<') at line 1442 (into the
function is_variant_better_na()):
! if (q == 0) return 0;
if (q > bestq) {
*p_bestq = q;
return 1;
}
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
