On Tue, Sep 7, 2021 at 2:00 PM Yann Ylavic <ylavic....@gmail.com> wrote: > > On Mon, May 25, 2020 at 7:50 AM <rpl...@apache.org> wrote: > > > > Author: rpluem > > Date: Mon May 25 05:50:12 2020 > > New Revision: 1878092 > > > > URL: http://svn.apache.org/viewvc?rev=1878092&view=rev > > Log: > > Fix a NULL pointer dereference > > > > * server/scoreboard.c (ap_increment_counts): In certain cases like certain > > invalid requests r->method might be NULL here. r->method_number defaults > > to M_GET and hence is M_GET in these cases. > > > > > > Modified: > > httpd/httpd/trunk/server/scoreboard.c > > > > Modified: httpd/httpd/trunk/server/scoreboard.c > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/scoreboard.c?rev=1878092&r1=1878091&r2=1878092&view=diff > > ============================================================================== > > --- httpd/httpd/trunk/server/scoreboard.c (original) > > +++ httpd/httpd/trunk/server/scoreboard.c Mon May 25 05:50:12 2020 > > @@ -381,7 +381,7 @@ AP_DECLARE(void) ap_increment_counts(ap_ > > if (pfn_ap_logio_get_last_bytes != NULL) { > > bytes = pfn_ap_logio_get_last_bytes(r->connection); > > } > > - else if (r->method_number == M_GET && r->method[0] == 'H') { > > + else if (r->method_number == M_GET && r->method && r->method[0] == > > 'H') { > > bytes = 0; > > } > > else { > > Sorry for the lateness.. > Maybe we could have an r->method_number == M_INVALID and r->method == > "" by default on failure, like with the attached patch?
Or even initialize r->{method,uri,unparsed_uri} to "-" for logging (v2 attached). We can ap_die() from here, but the potential ap_internal_redirect() from there would rewrite those.
Index: server/protocol.c =================================================================== --- server/protocol.c (revision 1893001) +++ server/protocol.c (working copy) @@ -716,6 +716,13 @@ static int read_request_line(request_rec *r, apr_b if (rv != APR_SUCCESS) { r->request_time = apr_time_now(); + /* Fall through with an invalid (non NULL) request */ + r->method = "-"; + r->method_number = M_INVALID; + r->uri = r->unparsed_uri = apr_pstrdup(r->pool, "-"); + r->proto_num = HTTP_VERSION(1,0); + r->protocol = "HTTP/1.0"; + /* ap_rgetline returns APR_ENOSPC if it fills up the * buffer before finding the end-of-line. This is only going to * happen if it exceeds the configured limit for a request-line. @@ -732,8 +739,6 @@ static int read_request_line(request_rec *r, apr_b else if (APR_STATUS_IS_EINVAL(rv)) { r->status = HTTP_BAD_REQUEST; } - r->proto_num = HTTP_VERSION(1,0); - r->protocol = "HTTP/1.0"; return 0; } } while ((len <= 0) && (--num_blank_lines >= 0));