Bug 59844

Summary: Stack address is returned from function parse_ap_expr
Product: Apache httpd-2 Reporter: SourceBrella <report>
Component: mod_includeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: report
Priority: P2 Keywords: FixedInTrunk
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description SourceBrella 2016-07-12 09:04:53 UTC 
The code is as following.

static int parse_ap_expr(include_ctx_t *ctx, const char *expr, int *was_error)
{

     ap_expr_info_t expr_info

     ...

     ctx->info = &expr_info

     ...

     return ...
}

A stack address &expr_info is returned as a side effect.
Comment 1 SourceBrella 2016-07-12 09:08:21 UTC 
The function is here: modules/filters/mod_include.c
Comment 2 Eric Covener 2016-07-13 12:40:39 UTC 
Thanks for the report!
Comment 3 Eric Covener 2016-07-13 12:49:04 UTC 
Did you ever see a symptom on this?
Comment 4 SourceBrella 2016-07-18 05:58:17 UTC 
I have not seen any symptom, but it is indeed a dangerous operation.
Comment 5 Eric Covener 2016-12-31 00:27:57 UTC 
Fixed in 2.4.25
Comment 6 shqking 2017-02-03 08:20:04 UTC 
(In reply to Eric Covener from comment #5)
> Fixed in 2.4.25

I found a similar problem in "support/htpasswd.c".
I have reported this issue in https://bz.apache.org/bugzilla/show_bug.cgi?id=60634