https://issues.apache.org/bugzilla/show_bug.cgi?id=57229
Bug ID: 57229
Summary: mod_sed dies on long lines
Product: Apache httpd-2
Version: 2.4.10
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: mod_sed
Assignee: [email protected]
Reporter: [email protected]
When mod_sed is used to replace strings in a document that has long lines (i.e.
some Kilobytes), it dies on the first long line that matches and terminates
transmission of the rest of the document.
This is reproducable.
How: Make a skript that produces output in a single line and matches. Increase
length of line and see when mod_said begins to fail.
Bug is present in apache http 2.4.10 and apache http trunk.
Here is the rundown:
mod1.c has
#define INIT_BUF_SIZE 1024
If a filtered document has a longer line, buffer gets grown.
But as soon as buffer is grown, mod_sed fails afterwards.
Partial Workaround (compiletime only):
increase
#define INIT_BUF_SIZE 1024
to a larger value that is safe for all lines in all documents you will process.
#define INIT_BUF_SIZE 16384
Impact:
mod_sed breaks reliable document delivery.
Risks:
Denial of Service
Exploits?
Maintainer:
Please urgently check and fix this mod_sed bug.
My consideration:
It seems to be a buffer problem.
mod_sed very likely works on user submitted content.
>From the code I see mod_sed uses a lot of pointers involved with the buffers.
There might be a high risk for buffer overrun/underrun or remote code
executions.
Regards,
Oliver
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
