https://bz.apache.org/bugzilla/show_bug.cgi?id=66033
Bug ID: 66033
Summary: Latent read beyond bounds in ap_is_matchexp()
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: generalbugs@zippenhop.com
Target Milestone: ---
An apparently-latent read-beyond-bounds bug exists in ap_is_matchexp()
(server/util.c). [1] The bug is caused by an overflow when the string being
scanned is > 0x7fffffff characters long. The offending code (from trunk) is:
252: AP_DECLARE(int) ap_is_matchexp(const char *str)
253: {
254: int x;
255:
256: for (x = 0; str[x]; x++)
257: if ((str[x] == '*') || (str[x] == '?'))
258: return 1;
259: return 0;
260: }
The problem occurs when line 256 increments |x| from 0x7fffffff (positive) to
0x80000000 (negative after overflow). At that point, 0x80000000 further reads
occur from |str-0x80000000|, |str-0x7fffffff| ... |str| (unless there is a
terminating 0 somewhere in that range). This bug can also cause an infinite
loop if there is no terminating 0 between |str| and |str+0x7fffffff|, and
between |str-0x80000000| and |str-1|.
The bug appears to be latent, at least as of httpd v.2.4.53, in which the only
uses are in push_item() (modules/generators/mod_autoindex.c) and
set_server_alias() (server/core.c).
push_item() appears to be used only with internally-generated strings derived
from the server's filesystem, and so should not be asked to handle any strings
long enough to trigger the bug.
set_server_alias() processes the "ServerAlias" directive from httpd.conf, and
so also should not be asked to handle any strings long enough to trigger the
bug.
[1] The security team asked me to file this bug publicly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 66033
Summary: Latent read beyond bounds in ap_is_matchexp()
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: generalbugs@zippenhop.com
Target Milestone: ---
An apparently-latent read-beyond-bounds bug exists in ap_is_matchexp()
(server/util.c). [1] The bug is caused by an overflow when the string being
scanned is > 0x7fffffff characters long. The offending code (from trunk) is:
252: AP_DECLARE(int) ap_is_matchexp(const char *str)
253: {
254: int x;
255:
256: for (x = 0; str[x]; x++)
257: if ((str[x] == '*') || (str[x] == '?'))
258: return 1;
259: return 0;
260: }
The problem occurs when line 256 increments |x| from 0x7fffffff (positive) to
0x80000000 (negative after overflow). At that point, 0x80000000 further reads
occur from |str-0x80000000|, |str-0x7fffffff| ... |str| (unless there is a
terminating 0 somewhere in that range). This bug can also cause an infinite
loop if there is no terminating 0 between |str| and |str+0x7fffffff|, and
between |str-0x80000000| and |str-1|.
The bug appears to be latent, at least as of httpd v.2.4.53, in which the only
uses are in push_item() (modules/generators/mod_autoindex.c) and
set_server_alias() (server/core.c).
push_item() appears to be used only with internally-generated strings derived
from the server's filesystem, and so should not be asked to handle any strings
long enough to trigger the bug.
set_server_alias() processes the "ServerAlias" directive from httpd.conf, and
so also should not be asked to handle any strings long enough to trigger the
bug.
[1] The security team asked me to file this bug publicly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org