Bug 44641 - mod_rewrite ap_register_rewrite_mapfunc can use uninitialized memory
Summary: mod_rewrite ap_register_rewrite_mapfunc can use uninitialized memory
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.0.59
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2008-03-19 13:17 UTC by Daniel Lescohier
Modified: 2008-05-27 09:03 UTC (History)
0 users



Attachments
mod_rewrite mapfunc_hash hash_make patch (970 bytes, patch)
2008-03-19 13:17 UTC, Daniel Lescohier
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Lescohier 2008-03-19 13:17:59 UTC
Created attachment 21691 [details]
mod_rewrite mapfunc_hash hash_make patch

I checked trunk, and this problem still exists there.

ap_register_rewrite_mapfunc calls apr_hash_set on a hashtable.  However, mod_rewrite registers ap_register_rewrite_mapfunc as an optional function before the hashtable is initialized with apr_hash_make.  That makes the ap_register_rewrite_mapfunc function available to other modules before the memory is initialized.

I found this out when writing a custom module that registers a function with ap_register_rewrite_mapfunc.  My module has to do it in the pre_config stage, because mod_rewrite requires the map function to be registered before it reads a config line referencing it.

If I have in the apache config a LoadModule of my module before a LoadModule of mod_rewrite, then I get a segmentation fault in the pre-config stage, because it's dereferencing a null pointer to a non-existent hashtable.  If I change the order of the LoadModule commands to load mod_rewrite first, then it works fine.  If I have LoadModule of my module first, the segmentation fault happens even though I register my hook to happen after mod_rewrite, like this:

    static const char * const preModules[] = { "mod_rewrite.c", NULL };
    ap_hook_pre_config(register_rewrite_whitelist_functions,
			preModules,NULL,APR_HOOK_MIDDLE);

I fixed the problem with the mod_rewrite.c patch I'm including (-1 code line, +1 code line).  With this patch applied, I do not even have to list mod_rewrite.c to be run first in the pre_config stage; my module can be like this:

    ap_hook_pre_config(register_rewrite_whitelist_functions,
			NULL,NULL,APR_HOOK_MIDDLE);

With the patch I'm attaching applied, and with my module using the pre_config hook without listing mod_rewrite.c, I get no segmentation fault, even if my module is LoadModule'd first.

I think this should be fixed in trunk, and backported to 2.2 and 2.0.
Comment 1 Ruediger Pluem 2008-03-20 14:39:00 UTC
Thanks for the patch. Committed to trunk as r639465 (http://svn.apache.org/viewvc?rev=639465&view=rev).
Comment 2 Ruediger Pluem 2008-05-26 13:04:42 UTC
Proposed for backport to 2.2.x as r660284 (http://svn.apache.org/viewvc?rev=660284&view=rev).
Comment 3 Ruediger Pluem 2008-05-27 09:03:56 UTC
Backport to 2.2.x as r660572
(http://svn.apache.org/viewvc?rev=660572&view=rev).