Bug 63669 - Incomplete error code check in read_request_line()
Summary: Incomplete error code check in read_request_line()
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: PC Mac OS X 10.1
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-16 11:13 UTC by legendt
Modified: 2019-08-16 11:13 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description legendt 2019-08-16 11:13:21 UTC 
at httpd/server/protocol.c around line

static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
{
...
        rv = ap_rgetline(&(r->the_request), (apr_size_t)(r->server->limit_req_line + 2),
                         &len, r, strict ? AP_GETLINE_CRLF : 0, bb);

        if (rv != APR_SUCCESS) {
            r->request_time = apr_time_now();

            /* ap_rgetline returns APR_ENOSPC if it fills up the
             * buffer before finding the end-of-line.  This is only going to
             * happen if it exceeds the configured limit for a request-line.
             */
            if (APR_STATUS_IS_ENOSPC(rv)) {
                r->status = HTTP_REQUEST_URI_TOO_LARGE;
            }
            else if (APR_STATUS_IS_TIMEUP(rv)) {
                r->status = HTTP_REQUEST_TIME_OUT;
            }
            else if (APR_STATUS_IS_EINVAL(rv)) {
                r->status = HTTP_BAD_REQUEST;
            }
            r->proto_num = HTTP_VERSION(1,0);
            r->protocol  = "HTTP/1.0";
            return 0;
        }
...

However, the function ap_rgetline() can actually return error codes other than APR_ENOSPC, APR_TIMEUP, APR_EINVAL. If the input bb is NULL, it can even return APR_BADARG, and in some cases it returns APR_EGENERAL. These errors are ignored and HTTP status is not correctly set.