Summary: | numerical configuration entry can be mistakenly interpreted without users' awareness | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Jiaqi Zhang <zation99> |
Component: | Core | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | CC: | OlafvdSpek, s.voelker78, tixu |
Priority: | P2 | ||
Version: | 2.4.1 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Jiaqi Zhang
2012-03-05 23:06:40 UTC
hmmm... interesting. I agree with this point. although it seems a quite stupid mistake to have 20O instead of 200, the correct system response is to check because human beings can make any kinds of mistakes. actually in a lot of modules, Apache does use strtol to check this problem. (In reply to comment #0) > The configuration parsing logic for numerical entries almost all use atoi() or > atol() to convert a string to an integer (for example, in set_max_ranges(), > set_max_reversals(), etc.) > > However, atoi and atol will only return error (<=0) if the initial portion of > the string is not digit. In case the string starts with some digits, they will > convert the initial portions without reporting any error. > > For example, the string "2o0" will be parsed and returned as 2. In this case, > although the users' original intention might be set it to 200, the program > executes as it is 2 instead, without giving out any warnings. > > It seems it affects almost all versions of httpd, and every place where atoi / > atol is used to convert configuration parameters from string to integer. > > Bug fix proposal: use strtol(char* nptr, char **endptr, int base) instead, and > give out warnings if the endptr does not point to the end of the string. Or use > apr_strtoi64() instead. another problem I can think about is the integer overflow. Being fed with a overflowed number, atoi() will return a random number. for example, on my machine, ind b = atoi(10000000000), b will be 1410065408. It seems that Apache httpd heavily uses atoi() without carefully check. Just randomly pick one example as follows: //in server/listen.c AP_DECLARE_NONSTD(const char *) ap_set_send_buffer_size(cmd_parms *cmd, void *dummy, const char *arg) { int s = atoi(arg); const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); if (err != NULL) { return err; } if (s < 512 && s != 0) { return "SendBufferSize must be >= 512 bytes, or 0 for system default."; } send_buffer_size = s; return NULL; } I think a good software should be able to check and have correct response instead of keeping silent. (In reply to Tianyin Xu from comment #2) > Being fed with a overflowed number, atoi() will return a random number. > > for example, on my machine, ind b = atoi(10000000000), b will be 1410065408. Actually it's worse: "If the value cannot be represented, the behavior is undefined." http://pubs.opengroup.org/onlinepubs/009695399/functions/atoi.html Code using strtol often fails to check for ERANGE too. IMO the best solution would be to introduce a better strtol wrapper that returns an int/error on invalid input. |