Bug 62344

Summary: Failing variable interpolation and memory allocation failure in ProxyHTMLURLMap
Product: Apache httpd-2 Reporter: Ewald Dieterich <ewald>
Component: mod_proxy_htmlAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: micha, nsg-apache-httpd-maintenance
Priority: P2 Keywords: FixedInTrunk
Version: 2.4.33   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fix variable interpolation and memory allocation failure in ProxyHTMLURLMap

Description Ewald Dieterich 2018-05-02 08:32:35 UTC
Created attachment 35903 [details]
Fix variable interpolation and memory allocation failure in ProxyHTMLURLMap

The attached file ProxyHTMLURLMap-memory-allocation-failure.patch fixes a potential memory allocation failure in ProxyHTMLURLMap in conjunction with a failed variable interpolation.

To reproduce, enable variable interpolation in ProxyHTMLURLMap and use a pattern with a variable and the pipe symbol | after the variable. For example:

SetEnv env replaced
ProxyHTMLEnable On
ProxyHTMLInterp On
ProxyHTMLURLMap / /${env}_and_|/subfolder" V

The problem is that in mod_proxy_html.c, interpolate_var(), searching for | isn't restricted to within the variable ${...}.

This leads to a wrong variable interpolation and, depending on your environment, a memory allocation failure.

If you enable trace1 logging for mod_proxy_html you will see something like this:
 
[...] mod_proxy_html.c(744): Interpolating env}_and_  =>  /subfolder"

The attached patch fixes this:

[...] mod_proxy_html.c(750): Interpolating env  =>  replaced
Comment 1 Yann Ylavic 2018-05-02 11:33:05 UTC
Thanks, committed to trunk in r1830746.
Comment 2 Micha Lenk 2018-05-02 13:36:30 UTC
Yann, can you please propose this for backporting to 2.4.x?
Comment 3 Yann Ylavic 2018-05-02 15:33:25 UTC
Proposed in r1830776.
Comment 4 Micha Lenk 2018-05-02 15:40:57 UTC
Awesome, thanks for proposing the backport.

Just a comment on the mentioned memory allocation failure: The reason is the pointer arithmetic, which in the described error case results in a negative length, which then seems to get casted to a very big positive number. If the system is short on memory, it won't be able to provide the requested amount of memory. That is at least how I understood what is happening in the error case.
Comment 5 Christophe JAILLET 2019-06-14 05:29:20 UTC
This have been backported in r1833840.

This is part of 2.4.34.