Bug 55360

Summary: Potential buffer overflows in support/ab
Product: Apache httpd-2 Reporter: Mike Rumph <mike.rumph>
Component: supportAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: normal Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fix potential overflows for X and T options of support/ab.

Description Mike Rumph 2013-08-05 17:46:39 UTC
The X and T command line options for support/ab utility can cause buffer overflow resulting in segmentation faults.

Both of these options do strcpy into fixed length buffers of length 1024.

As an example, the following test results in a segmentation fault on my Linux 64 system:

$ ./ab -T text/a123456789...512 times...a123456789 localhost:8080/welcome.html
The total length of the -T value is 5125 bytes.

I've also tried up to a length of 3845 bytes without getting a segmentation fault.
But even in this case the 1024 byte buffer would still be overridden.

There are also 2 fixed length buffers that are no longer referenced (postfile and url) and 3 other fixed length buffers that could potentially overflow (servername, buffer, _request).

I will submit a patch for the X and T options and remove the unreferenced buffers.

A fix for the other potential overflows will require a more careful study of the code.
Comment 1 Mike Rumph 2013-08-05 17:50:18 UTC
Created attachment 30676 [details]
Fix potential overflows for X and T options of support/ab.

The added patch replaces strcpy calls with the use of an APR pool.
The patch also removes 2 unreferenced fixed length buffers.
Comment 2 Jeff Trawick 2013-08-06 13:09:30 UTC
This is now in trunk as r1510707, and nominated for inclusion in 2.4.next.
Comment 3 Jeff Trawick 2013-08-19 11:47:43 UTC
in 2.4.x branch with r1515370