On Tue, Sep 7, 2021 at 2:00 PM Yann Ylavic <[email protected]> wrote:
>
> On Mon, May 25, 2020 at 7:50 AM <[email protected]> wrote:
> >
> > Author: rpluem
> > Date: Mon May 25 05:50:12 2020
> > New Revision: 1878092
> >
> > URL: http://svn.apache.org/viewvc?rev=1878092&view=rev
> > Log:
> > Fix a NULL pointer dereference
> >
> > * server/scoreboard.c (ap_increment_counts): In certain cases like certain
> > invalid requests r->method might be NULL here. r->method_number defaults
> > to M_GET and hence is M_GET in these cases.
> >
> >
> > Modified:
> > httpd/httpd/trunk/server/scoreboard.c
> >
> > Modified: httpd/httpd/trunk/server/scoreboard.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/scoreboard.c?rev=1878092&r1=1878091&r2=1878092&view=diff
> > ==============================================================================
> > --- httpd/httpd/trunk/server/scoreboard.c (original)
> > +++ httpd/httpd/trunk/server/scoreboard.c Mon May 25 05:50:12 2020
> > @@ -381,7 +381,7 @@ AP_DECLARE(void) ap_increment_counts(ap_
> > if (pfn_ap_logio_get_last_bytes != NULL) {
> > bytes = pfn_ap_logio_get_last_bytes(r->connection);
> > }
> > - else if (r->method_number == M_GET && r->method[0] == 'H') {
> > + else if (r->method_number == M_GET && r->method && r->method[0] ==
> > 'H') {
> > bytes = 0;
> > }
> > else {
>
> Sorry for the lateness..
> Maybe we could have an r->method_number == M_INVALID and r->method ==
> "" by default on failure, like with the attached patch?
Or even initialize r->{method,uri,unparsed_uri} to "-" for logging (v2
attached).
We can ap_die() from here, but the potential ap_internal_redirect()
from there would rewrite those.
Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 1893001)
+++ server/protocol.c (working copy)
@@ -716,6 +716,13 @@ static int read_request_line(request_rec *r, apr_b
if (rv != APR_SUCCESS) {
r->request_time = apr_time_now();
+ /* Fall through with an invalid (non NULL) request */
+ r->method = "-";
+ r->method_number = M_INVALID;
+ r->uri = r->unparsed_uri = apr_pstrdup(r->pool, "-");
+ r->proto_num = HTTP_VERSION(1,0);
+ r->protocol = "HTTP/1.0";
+
/* ap_rgetline returns APR_ENOSPC if it fills up the
* buffer before finding the end-of-line. This is only going to
* happen if it exceeds the configured limit for a request-line.
@@ -732,8 +739,6 @@ static int read_request_line(request_rec *r, apr_b
else if (APR_STATUS_IS_EINVAL(rv)) {
r->status = HTTP_BAD_REQUEST;
}
- r->proto_num = HTTP_VERSION(1,0);
- r->protocol = "HTTP/1.0";
return 0;
}
} while ((len <= 0) && (--num_blank_lines >= 0));
