Bug 55360 - Potential buffer overflows in support/ab
Summary: Potential buffer overflows in support/ab
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: support (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Reported: 2013-08-05 17:46 UTC by Mike Rumph
Modified: 2013-08-19 11:47 UTC (History)
0 users

Fix potential overflows for X and T options of support/ab. (2.49 KB, patch)
2013-08-05 17:50 UTC, Mike Rumph
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Rumph 2013-08-05 17:46:39 UTC
The X and T command line options for support/ab utility can cause buffer overflow resulting in segmentation faults.

Both of these options do strcpy into fixed length buffers of length 1024.

As an example, the following test results in a segmentation fault on my Linux 64 system:

$ ./ab -T text/a123456789...512 times...a123456789 localhost:8080/welcome.html
The total length of the -T value is 5125 bytes.

I've also tried up to a length of 3845 bytes without getting a segmentation fault.
But even in this case the 1024 byte buffer would still be overridden.

There are also 2 fixed length buffers that are no longer referenced (postfile and url) and 3 other fixed length buffers that could potentially overflow (servername, buffer, _request).

I will submit a patch for the X and T options and remove the unreferenced buffers.

A fix for the other potential overflows will require a more careful study of the code.
Comment 1 Mike Rumph 2013-08-05 17:50:18 UTC
Created attachment 30676 [details]
Fix potential overflows for X and T options of support/ab.

The added patch replaces strcpy calls with the use of an APR pool.
The patch also removes 2 unreferenced fixed length buffers.
Comment 2 Jeff Trawick 2013-08-06 13:09:30 UTC
This is now in trunk as r1510707, and nominated for inclusion in 2.4.next.
Comment 3 Jeff Trawick 2013-08-19 11:47:43 UTC
in 2.4.x branch with r1515370