Bug 49214 - Possible buffer overflow in proc_spawn_process
Summary: Possible buffer overflow in proc_spawn_process
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_fcgid (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2010-04-28 12:50 UTC by Martin Furter
Modified: 2010-04-29 11:16 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Furter 2010-04-28 12:50:16 UTC 
Log Message:
[[[
Allocate enough memory for APACHE_ARG_MAX arguments plus a terminating 
NULL pointer.
]]]

Patch:
[[[
Index: modules/fcgid/fcgid_proc_unix.c
===================================================================
--- modules/fcgid/fcgid_proc_unix.c     (revision 938992)
+++ modules/fcgid/fcgid_proc_unix.c     (working copy)
@@ -201,7 +201,7 @@
      struct sockaddr_un unix_addr;
      apr_procattr_t *procattr = NULL;
      int argc;
-    const char *wargv[APACHE_ARG_MAX];
+    const char *wargv[APACHE_ARG_MAX+1];
      const char *word; /* For wrapper */
      const char *tmp;

]]]
Comment 1 Jeff Trawick 2010-04-28 13:23:29 UTC 
same change needed to fcgid_proc_win.c as well... looking further at implications
Comment 2 Jeff Trawick 2010-04-29 11:16:15 UTC 
Thanks for the fix, now committed; same change was added to the analogous code for Windows.

Buffer overflow can't occur at present due to truncation of such command-lines before it reaches this point in processing.