Summary: | mod_rewrite ap_register_rewrite_mapfunc can use uninitialized memory | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Daniel Lescohier <daniel.lescohier> |
Component: | mod_rewrite | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Keywords: | FixedInTrunk, PatchAvailable |
Priority: | P2 | ||
Version: | 2.0.59 | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: | mod_rewrite mapfunc_hash hash_make patch |
Thanks for the patch. Committed to trunk as r639465 (http://svn.apache.org/viewvc?rev=639465&view=rev). Proposed for backport to 2.2.x as r660284 (http://svn.apache.org/viewvc?rev=660284&view=rev). Backport to 2.2.x as r660572 (http://svn.apache.org/viewvc?rev=660572&view=rev). |
Created attachment 21691 [details] mod_rewrite mapfunc_hash hash_make patch I checked trunk, and this problem still exists there. ap_register_rewrite_mapfunc calls apr_hash_set on a hashtable. However, mod_rewrite registers ap_register_rewrite_mapfunc as an optional function before the hashtable is initialized with apr_hash_make. That makes the ap_register_rewrite_mapfunc function available to other modules before the memory is initialized. I found this out when writing a custom module that registers a function with ap_register_rewrite_mapfunc. My module has to do it in the pre_config stage, because mod_rewrite requires the map function to be registered before it reads a config line referencing it. If I have in the apache config a LoadModule of my module before a LoadModule of mod_rewrite, then I get a segmentation fault in the pre-config stage, because it's dereferencing a null pointer to a non-existent hashtable. If I change the order of the LoadModule commands to load mod_rewrite first, then it works fine. If I have LoadModule of my module first, the segmentation fault happens even though I register my hook to happen after mod_rewrite, like this: static const char * const preModules[] = { "mod_rewrite.c", NULL }; ap_hook_pre_config(register_rewrite_whitelist_functions, preModules,NULL,APR_HOOK_MIDDLE); I fixed the problem with the mod_rewrite.c patch I'm including (-1 code line, +1 code line). With this patch applied, I do not even have to list mod_rewrite.c to be run first in the pre_config stage; my module can be like this: ap_hook_pre_config(register_rewrite_whitelist_functions, NULL,NULL,APR_HOOK_MIDDLE); With the patch I'm attaching applied, and with my module using the pre_config hook without listing mod_rewrite.c, I get no segmentation fault, even if my module is LoadModule'd first. I think this should be fixed in trunk, and backported to 2.2 and 2.0.