Bug 56289 - Buffer overflow in mod_proxy_html's string replacement can cause a segfault
Summary: Buffer overflow in mod_proxy_html's string replacement can cause a segfault
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_html (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2014-03-19 21:39 UTC by Micha Lenk
Modified: 2019-01-06 13:06 UTC (History)
1 user (show)



Attachments
Fix string replacement segfault in mod_proxy_html (7.82 KB, patch)
2014-03-19 21:39 UTC, Micha Lenk
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Micha Lenk 2014-03-19 21:39:19 UTC
Created attachment 31413 [details]
Fix string replacement segfault in mod_proxy_html

The attached patch fixes a buffer overflow in at least one of the six string replacement implementations in mod_proxy_html.

Unfortunately I don't remember anymore how to reproduce the issue properly, but I know that some long time ago I fixed a segfault with this patch.

The patch tries to address the buffer overflow by introducing a new function preplace() dedicated to clean string replacement. This function is now used on all six places where the error-prone string replacement was previously implemented manually with memcpy() and memmove().
Comment 1 Micha Lenk 2014-03-19 21:41:36 UTC
Just for the records, the patch is based on SVN trunk rev. 1579365.
Comment 2 Nick Kew 2014-06-01 18:31:28 UTC
Your patch appears to dispense with null-termination in the buffer.  That's good if it doesn't break anything, and the reasons for null-termination in the buffer are lost in the mists of time!  Is it well-tested with both strings and regexps and ProxyHTMLExtended?
Comment 3 nsg-apache-httpd-maintenance 2018-05-07 12:25:55 UTC
Yes, we have this patch applied since years in our product, and the segfault didn't happen anymore since then.
Comment 4 Micha Lenk 2018-05-07 12:28:22 UTC
> Is it well-tested with both strings and regexps and ProxyHTMLExtended?

Yes, we have this patch applied since years in our product, and the segfault didn't happen anymore since then.