DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43310>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43310 Summary: buffer overflow (1 byte) in ap_vrprintf() Product: Apache httpd-2 Version: 2.2.4 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P4 Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] If entire output size of ap_vrprintf() is multiple of 8192(AP_IOBUFSIZE), then vd.vbuff.curpos is equal to vd.vbuff.curend and null terminator is written over the end of vrprintf_buf[]. In my machine, first byte of vd.vbuff.curpos is cleared to zero, and 3rd parameter of output_buffer() is calcurated incorrectly. tested on apache-2.2.4 ======== step to reproduce the problem: 1) make sample module $ apxs -g -n test 2) edit test_handler /* The sample content handler */ static int test_handler(request_rec *r) { if (strcmp(r->handler, "test")) { return DECLINED; } r->content_type = "text/html"; int n = atoi(r->args) ; char * s = apr_pcalloc(r->pool, n+1) ; memset(s, '1', n) ; ap_rprintf(r, "%s", s) ; return OK; } 3) append to httpd.conf and apachectl start LoadModule test_module modules/mod_test.so <Location /test> SetHandler test </Location> 4) module output size test $ N=8192 ; for ((i=$N-4; i<$N+4; i++)) ; do echo $i `curl -s localhost/test?$i | wc -c` ; done 8188 8188 8189 8189 8190 8190 8191 8191 8192 8112 <-- expected size is 8192 8193 8193 8194 8194 8195 8195 -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
