DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24314 jk2/AJP13: jkstatus unsafely prints jk_stat->active Summary: jk2/AJP13: jkstatus unsafely prints jk_stat->active Product: Tomcat 4 Version: 4.0.4 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Connector:Coyote JK 2 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I saw this under LastReq a couple of times in my jkstatus page (built from the 2.0.2 tarball): /cnetcd/aiListTransactions.do;jsessionid=3C39F41641B7CA3405B45D0¢<Ù? Which seems really scary. Sure enough, in jk_worker_ajp13.c we see that this struct field (struct jk_stat's active is char[64]) is populated by a strncpy on line 472: /* XXX configurable ? */ strncpy( e->stats->active, s->req_uri, 64); In jk_worker_status.c, the utility function jk2_worker_status_displayStat(...) doesn't pay attention to this size, using jkprintf: s->jkprintf(env, s, "<td>%s</td>\n", JK_CHECK_NULL(stat->active) ); jkprintf is a void* to jk2_requtil_printf, which does expects a NULL terminated string! It will occasionally wander off into oblivion until it hits a null. Icky. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
