Bug 59844 - Stack address is returned from function parse_ap_expr
Summary: Stack address is returned from function parse_ap_expr
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_include (show other bugs)
Version: 2.4.23
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2016-07-12 09:04 UTC by SourceBrella
Modified: 2017-02-03 08:20 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SourceBrella 2016-07-12 09:04:53 UTC 
The code is as following.

static int parse_ap_expr(include_ctx_t *ctx, const char *expr, int *was_error)
{

     ap_expr_info_t expr_info

     ...

     ctx->info = &expr_info

     ...

     return ...
}

A stack address &expr_info is returned as a side effect.
Comment 1 SourceBrella 2016-07-12 09:08:21 UTC 
The function is here: modules/filters/mod_include.c
Comment 2 Eric Covener 2016-07-13 12:40:39 UTC 
Thanks for the report!
Comment 3 Eric Covener 2016-07-13 12:49:04 UTC 
Did you ever see a symptom on this?
Comment 4 SourceBrella 2016-07-18 05:58:17 UTC 
I have not seen any symptom, but it is indeed a dangerous operation.
Comment 5 Eric Covener 2016-12-31 00:27:57 UTC 
Fixed in 2.4.25
Comment 6 shqking 2017-02-03 08:20:04 UTC 
(In reply to Eric Covener from comment #5)
> Fixed in 2.4.25

I found a similar problem in "support/htpasswd.c".
I have reported this issue in https://bz.apache.org/bugzilla/show_bug.cgi?id=60634