|Summary:||Potential buffer overflows in support/ab|
|Product:||Apache httpd-2||Reporter:||Mike Rumph <mike.rumph>|
|Component:||support||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||Fix potential overflows for X and T options of support/ab.|
Description Mike Rumph 2013-08-05 17:46:39 UTC
The X and T command line options for support/ab utility can cause buffer overflow resulting in segmentation faults. Both of these options do strcpy into fixed length buffers of length 1024. As an example, the following test results in a segmentation fault on my Linux 64 system: $ ./ab -T text/a123456789...512 times...a123456789 localhost:8080/welcome.html The total length of the -T value is 5125 bytes. I've also tried up to a length of 3845 bytes without getting a segmentation fault. But even in this case the 1024 byte buffer would still be overridden. There are also 2 fixed length buffers that are no longer referenced (postfile and url) and 3 other fixed length buffers that could potentially overflow (servername, buffer, _request). I will submit a patch for the X and T options and remove the unreferenced buffers. A fix for the other potential overflows will require a more careful study of the code.
Comment 1 Mike Rumph 2013-08-05 17:50:18 UTC
Created attachment 30676 [details] Fix potential overflows for X and T options of support/ab. The added patch replaces strcpy calls with the use of an APR pool. The patch also removes 2 unreferenced fixed length buffers.
Comment 2 Jeff Trawick 2013-08-06 13:09:30 UTC
This is now in trunk as r1510707, and nominated for inclusion in 2.4.next.