Summary: | Buffer overflow in mod_proxy_html's string replacement can cause a segfault | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Micha Lenk <micha> |
Component: | mod_proxy_html | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | CC: | nsg-apache-httpd-maintenance |
Priority: | P2 | Keywords: | PatchAvailable |
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: | Fix string replacement segfault in mod_proxy_html |
Just for the records, the patch is based on SVN trunk rev. 1579365. Your patch appears to dispense with null-termination in the buffer. That's good if it doesn't break anything, and the reasons for null-termination in the buffer are lost in the mists of time! Is it well-tested with both strings and regexps and ProxyHTMLExtended? Yes, we have this patch applied since years in our product, and the segfault didn't happen anymore since then. > Is it well-tested with both strings and regexps and ProxyHTMLExtended?
Yes, we have this patch applied since years in our product, and the segfault didn't happen anymore since then.
|
Created attachment 31413 [details] Fix string replacement segfault in mod_proxy_html The attached patch fixes a buffer overflow in at least one of the six string replacement implementations in mod_proxy_html. Unfortunately I don't remember anymore how to reproduce the issue properly, but I know that some long time ago I fixed a segfault with this patch. The patch tries to address the buffer overflow by introducing a new function preplace() dedicated to clean string replacement. This function is now used on all six places where the error-prone string replacement was previously implemented manually with memcpy() and memmove().