[
https://issues.apache.org/jira/browse/AXIS2C-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2C-1608.
-------------------------------------
Fix Version/s: 2.0.0
(was: 1.7.0)
Resolution: Fixed
The issue had two root causes:
1. NULL pointer arithmetic: copy_value() didn't check if strchr(pair, ';')
returned NULL. For the last cookie (no trailing ;), this caused NULL - pair =
huge number, then pair[len] accessed memory far outside the string → crash.
2. Modifying read-only memory: Both copy_key() and copy_value() modified the
input string in-place by temporarily inserting '\0'. Apache's apr_table_get()
returns a const/read-only string, so writing to it caused a segfault.
The fix uses axutil_strmemdup() to copy substrings without modifying the
input, and properly handles cookies without trailing semicolons.
> Segmentation fault when HTTP request includes multiple cookies in a cookie
> HTTP-header
> ---------------------------------------------------------------------------------------
>
> Key: AXIS2C-1608
> URL: https://issues.apache.org/jira/browse/AXIS2C-1608
> Project: Axis2-C
> Issue Type: Bug
> Components: transport/http
> Affects Versions: 1.7.0
> Environment: Linux Debian, Axis2/c version 1.7.0-RC5 built from
> source , on top of Apache 2.2.16
> Reporter: Zvika Ferentz
> Priority: Major
> Fix For: 2.0.0
>
>
> Greetings,
> We've noticed that when Axis2/C accepts a request with more than a single
> cookie - the apache crashes (segfault) .
> If the cookies are sent via multiple cookie-headers then everything seems to
> be ok . We have tested it with multiple 1.7 release-candidate and the
> behavior is the same. When tested with 1.6.0 everything seems to be ok as
> well.
> For example, Here is a request that crashed the server:
> GET /ws/services/ HTTP/1.1
> Host: 10.10.3.58
> Connection: keep-alive
> Cache-Control: max-age=0
> Authorization: Basic YWRtaW46YTEgfmAkJiInPD4v
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML,
> like Gecko) Chrome/22.0.1229.94 Safari/537.4
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: en-US,en;q=0.8
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
> Cookie: PHPSESSID=n3luspdq3oo6c8g6rhjv4sqgk5;
> webpy_session_id=fe06cdaf9f6d0acb635c6177e7b6c4f44841f447
> Any idea ?
> thank you very much
> Z.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
