[jira] [Created] (SVN-4782) Using (const char*)1 in Apache HTTP server modules as value for r->notes cause httpd to crash

Ruediger Pluem (JIRA) Mon, 29 Oct 2018 01:01:38 -0700

Ruediger Pluem created SVN-4782:
-----------------------------------

             Summary: Using (const char*)1 in Apache HTTP server modules as 
value for r->notes cause httpd to crash
                 Key: SVN-4782
                 URL: https://issues.apache.org/jira/browse/SVN-4782
             Project: Subversion
          Issue Type: Bug
    Affects Versions: 1.9.7, 1.10.2
         Environment: All environments
            Reporter: Ruediger Pluem
         Attachments: notes_fix.diff


*mod_authz_svn.c* and *mod_dav_svn.c* add keys to *r->notes* to memorize 
boolean states (*FORCE_AUTHN_NOTE*, *IN_SOME_AUTHN_NOTE*, *authz_svn-anon-ok*, 
*NO_MAP_TO_STORAGE_NOTE*). They use _(const char*)1_ as values for the keys. 
This causes any call to *apr_table_clone* for *r->notes* to crash with a 
SEGFAULT, because _(const char*)1_ is an invalid address. *mod_http2* in httpd 
calls  *apr_table_clone* for *r->notes* and hence the httpd process crashes. 
The attached patch (against trunk) replaces the value of  _(const char*)1_ in 
these cases with a value of _"1"_.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SVN-4782) Using (const char*)1 in Apache HTTP server modules as value for r->notes cause httpd to crash

Reply via email to