Bug 62344 - Failing variable interpolation and memory allocation failure in ProxyHTMLURLMap
Summary: Failing variable interpolation and memory allocation failure in ProxyHTMLURLMap
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_html (show other bugs)
Version: 2.4.33
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2018-05-02 08:32 UTC by Ewald Dieterich
Modified: 2019-06-14 05:29 UTC (History)
2 users (show)



Attachments
Fix variable interpolation and memory allocation failure in ProxyHTMLURLMap (386 bytes, patch)
2018-05-02 08:32 UTC, Ewald Dieterich
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ewald Dieterich 2018-05-02 08:32:35 UTC
Created attachment 35903 [details]
Fix variable interpolation and memory allocation failure in ProxyHTMLURLMap

The attached file ProxyHTMLURLMap-memory-allocation-failure.patch fixes a potential memory allocation failure in ProxyHTMLURLMap in conjunction with a failed variable interpolation.

To reproduce, enable variable interpolation in ProxyHTMLURLMap and use a pattern with a variable and the pipe symbol | after the variable. For example:

SetEnv env replaced
ProxyHTMLEnable On
ProxyHTMLInterp On
ProxyHTMLURLMap / /${env}_and_|/subfolder" V

The problem is that in mod_proxy_html.c, interpolate_var(), searching for | isn't restricted to within the variable ${...}.

This leads to a wrong variable interpolation and, depending on your environment, a memory allocation failure.

If you enable trace1 logging for mod_proxy_html you will see something like this:
 
[...] mod_proxy_html.c(744): Interpolating env}_and_  =>  /subfolder"

The attached patch fixes this:

[...] mod_proxy_html.c(750): Interpolating env  =>  replaced
Comment 1 Yann Ylavic 2018-05-02 11:33:05 UTC
Thanks, committed to trunk in r1830746.
Comment 2 Micha Lenk 2018-05-02 13:36:30 UTC
Yann, can you please propose this for backporting to 2.4.x?
Comment 3 Yann Ylavic 2018-05-02 15:33:25 UTC
Proposed in r1830776.
Comment 4 Micha Lenk 2018-05-02 15:40:57 UTC
Awesome, thanks for proposing the backport.

Just a comment on the mentioned memory allocation failure: The reason is the pointer arithmetic, which in the described error case results in a negative length, which then seems to get casted to a very big positive number. If the system is short on memory, it won't be able to provide the requested amount of memory. That is at least how I understood what is happening in the error case.
Comment 5 Christophe JAILLET 2019-06-14 05:29:20 UTC
This have been backported in r1833840.

This is part of 2.4.34.