trawick at gmail
Aug 5, 2013, 1:25 PM
Post #3 of 3
(23 views)
Permalink
|
|
Re: [PATCH 55360] Potential buffer overflows in support/ab
[In reply to]
|
|
On Mon, Aug 5, 2013 at 4:10 PM, Jeff Trawick <trawick [at] gmail> wrote:
> On Mon, Aug 5, 2013 at 2:11 PM, Mike Rumph <mike.rumph [at] oracle> wrote:
>
>> Hello all,
>>
>> A comment section in support/ab.c lists the following known problems:
>>
>> /*
>> * BUGS:
>> *
>> * - uses strcpy/etc.
>> * - has various other poor buffer attacks related to the lazy parsing of
>> * response headers from the server
>> * - doesn't implement much of HTTP/1.x, only accepts certain forms of
>> * responses
>> * - (performance problem) heavy use of strstr shows up top in profile
>> * only an issue for loopback usage
>> */
>>
>> I was able to duplicate segmentation faults through the T and X command
>> line options.
>>
>> I submitted a patch to fix potential buffer overflows through these
>> options.
>> - https://issues.apache.org/**bugzilla/show_bug.cgi?id=55360<https://issues.apache.org/bugzilla/show_bug.cgi?id=55360>
>>
>> The patch also removes 2 unreferenced fixed length buffers.
>>
>> support/ab.c also contains 3 additional fixed length buffers that could
>> potentially overflow:
>> - servername, buffer and _request
>>
>> Fixing these problems will require a deeper understanding of the code.
>>
>> Please, consider the submitted patch for adoption.
>>
>
>
> The patch looks fine in an initial glance. I anticipate committing it
> today after eyeballing it a bit more. (Or else I'll speak up.)
>
This is now in trunk as r1510707; I'll nominate for inclusion in 2.4.next
shortly.
> Thanks,
>
> Jeff
>
>
>>
>> Thanks,
>>
>> Mike Rumph
>>
>>
>>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
|
