Re: httpd 2.2.8 segfaults

Sun, 24 Feb 2008 06:17:41 -0800 

On Sat, 23 Feb 2008, Ruediger Pluem wrote:
I'm still not liking the casts and the mixed -1's, APR_SIZE_MAX and MAX_APR_SIZE_T... 


In any case, I'll be busy for most of this weekend so I probably won't have 
time to try patches until monday...


Thats fine. Looking forward to your test results.



It seems to work after fixing the APR_SIZE_MAX/MAX_APR_SIZE_T thing, 
this is (still) httpd-2.2.8 on Ubuntu 32bit LFS-enabled.



Compiling with optimization and all warnings (-O3 -W -Wall) I only get 
these, which are not related to apr_brigade_partition:

buckets/apr_brigade.c: In function 'apr_brigade_to_iovec':
buckets/apr_brigade.c:359: warning: dereferencing type-punned pointer will 
break strict-aliasing rules
buckets/apr_brigade.c: In function 'apr_brigade_vprintf':
buckets/apr_brigade.c:681: warning: comparison between signed and unsigned


The warning in apr_brigade_vprintf is trivial to fix, it should be 
'int written' instead of 'apr_size_t written' since that's what 
apr_vformatter seems to return.



Also, I get the point of (apr_size_t)(-1) now since it's the 
documented "unknown bucket length" indicator. Ugly, but effective.



However, it seems to me that this leaves a hole for off-by-one 
opportunities because on 32bit:


(apr_size_t)(-1) is 0xffffffff
MAX_APR_SIZE_T is also 0xffffffff

This means that a bucket can hold max 0xfffffffe bytes right?


Without checking too much I would guess that passing 0xffffffff as 
"point" argument to apr_brigade_partition could fall between the 
cracks since the comparisons with MAX_APR_SIZE_T are all < or > ...



From a deobfuscating view to avoid future bugs I would suggest:

1) Create proper defines for use with the bucket length, ie.
   MAX_BUCKET_LEN and BUCKET_LEN_UNKNOWN or something. It's much
   easier to read and keep track of.

2) Wouldn't it make more sense of having apr_brigade_partition() being
   a little more careful like apr_brigade_insert_file() and creating
   buckets of at most MAX_BUCKET_SIZE bytes?


/Nikke
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se      |     [EMAIL PROTECTED]
---------------------------------------------------------------------------
 If at first you don't succeed, skydiving's out!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=























					Reply via email to