DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28204>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28204 [PATCH] ab: does not handle urls that are too long Summary: [PATCH] ab: does not handle urls that are too long Product: Apache httpd-2.0 Version: 2.1-HEAD Platform: All OS/Version: All Status: NEW Severity: Minor Priority: Other Component: support AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] In apache bench is no checking if the length of the url given in the commandline matches the size of the internal request buf (variable _request). So the sprintf causes a buffer overflow. In my case this overwrote the variable containing the port so I could not connect to the server. I patched this to use the apr_snprintf function and exit with an error "request too long". I also increased the buffer size for the request to 2048 because 512 was too small for my tests. Index: ab.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/support/ab.c,v retrieving revision 1.143 diff -u -r1.143 ab.c --- ab.c 25 Mar 2004 00:05:00 -0000 1.143 +++ ab.c 5 Apr 2004 12:31:15 -0000 @@ -313,7 +313,7 @@ apr_time_t start, endtime; /* global request (and its length) */ -char _request[512]; +char _request[2048]; char *request = _request; apr_size_t reqlen; @@ -1534,6 +1534,7 @@ apr_int16_t rv; long i; apr_status_t status; + int snprintf_res=0; #ifdef NOT_ASCII apr_size_t inbytes_left, outbytes_left; #endif @@ -1568,7 +1569,7 @@ /* setup request */ if (posting <= 0) { - sprintf(request, "%s %s HTTP/1.0\r\n" + snprintf_res = apr_snprintf(request, sizeof(_request), "%s %s HTTP/1.0\r\n" "User-Agent: ApacheBench/%s\r\n" "%s" "%s" "%s" "Host: %s%s\r\n" @@ -1581,7 +1582,7 @@ cookie, auth, host_field, colonhost, hdrs); } else { - sprintf(request, "POST %s HTTP/1.0\r\n" + snprintf_res = apr_snprintf(request, sizeof(_request),"POST %s HTTP/1.0\r\n" "User-Agent: ApacheBench/%s\r\n" "%s" "%s" "%s" "Host: %s%s\r\n" @@ -1596,6 +1597,9 @@ cookie, auth, host_field, colonhost, postlen, (content_type[0]) ? content_type : "text/plain", hdrs); + } + if (snprintf_res >= sizeof(_request)) { + err("request too long"); } if (verbosity >= 2) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
