DO NOT REPLY [Bug 44641] New: mod_rewrite ap_register_rewrite_mapfunc can use uninitialized memory

Wed, 19 Mar 2008 13:19:54 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=44641

           Summary: mod_rewrite ap_register_rewrite_mapfunc can use
                    uninitialized memory
           Product: Apache httpd-2
           Version: 2.0.59
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_rewrite
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


Created an attachment (id=21691)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21691)
mod_rewrite mapfunc_hash hash_make patch

I checked trunk, and this problem still exists there.

ap_register_rewrite_mapfunc calls apr_hash_set on a hashtable.  However,
mod_rewrite registers ap_register_rewrite_mapfunc as an optional function
before the hashtable is initialized with apr_hash_make.  That makes the
ap_register_rewrite_mapfunc function available to other modules before the
memory is initialized.

I found this out when writing a custom module that registers a function with
ap_register_rewrite_mapfunc.  My module has to do it in the pre_config stage,
because mod_rewrite requires the map function to be registered before it reads
a config line referencing it.

If I have in the apache config a LoadModule of my module before a LoadModule of
mod_rewrite, then I get a segmentation fault in the pre-config stage, because
it's dereferencing a null pointer to a non-existent hashtable.  If I change the
order of the LoadModule commands to load mod_rewrite first, then it works fine.
 If I have LoadModule of my module first, the segmentation fault happens even
though I register my hook to happen after mod_rewrite, like this:

    static const char * const preModules[] = { "mod_rewrite.c", NULL };
    ap_hook_pre_config(register_rewrite_whitelist_functions,
                        preModules,NULL,APR_HOOK_MIDDLE);

I fixed the problem with the mod_rewrite.c patch I'm including (-1 code line,
+1 code line).  With this patch applied, I do not even have to list
mod_rewrite.c to be run first in the pre_config stage; my module can be like
this:

    ap_hook_pre_config(register_rewrite_whitelist_functions,
                        NULL,NULL,APR_HOOK_MIDDLE);

With the patch I'm attaching applied, and with my module using the pre_config
hook without listing mod_rewrite.c, I get no segmentation fault, even if my
module is LoadModule'd first.

I think this should be fixed in trunk, and backported to 2.2 and 2.0.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to