50824 – limiting and unsafe use of fixed length buffer for reading configuration

Bug 50824 - limiting and unsafe use of fixed length buffer for reading configuration

Summary: limiting and unsafe use of fixed length buffer for reading configuration

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Runtime Config (show other bugs)
Version:	2.2.9
Hardware:	PC Linux

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Duplicates (1):	52017 (view as bug list)
Depends on:
Blocks:

Reported:	2011-02-24 05:39 UTC by Zdenek Salvet
Modified:	2012-02-26 17:10 UTC (History)
CC List:	2 users (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zdenek Salvet 2011-02-24 05:39:27 UTC

Configuration files are read line by line using buffers of fixed length
(MAX_STRING_LEN) and exceptional conditions EOF/error/buffer-full are not
handled appropriately. The 8kB limit on configuration line length is too low,
e.g., for some uses of SSLRequire directive, it would be much better
to implement reading lines of arbitrary length.

Comment 1 Stefan Fritsch 2011-03-29 17:39:12 UTC

The error handling has been fixed in trunk in r1086756 / r1086761

Comment 2 Stefan Fritsch 2011-08-13 09:09:21 UTC

Line limit increased to 16MB in r1157354

Comment 3 Stefan Fritsch 2011-10-14 17:57:01 UTC

*** Bug 52017 has been marked as a duplicate of this bug. ***

Comment 4 Stefan Fritsch 2012-02-26 17:10:28 UTC

fixed in 2.4.1