Handle ap_get_client_block() error in am_read_post_data() #71
Conversation
| ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, | ||
| "Failed to read POST data from client."); | ||
| return HTTP_INTERNAL_SERVER_ERROR; | ||
| } | ||
| else if ((apr_size_t)read_length > bytes_left) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you clarify this a bit -- in what cases will ap_get_client_block return more than bytes_left?
From the documentation, it looks like it shouldn't do that:
/**
* Call this in a loop. It will put data into a buffer and return the length
* of the input block
* @param r The current request
* @param buffer The buffer in which to store the data
* @param bufsiz The size of the buffer
* @return Number of bytes inserted into the buffer. When done reading, 0
* if EOF, or -1 if there was an error
*/
|
Thanks for looking into this! You are right that we need to handle errors condition from I do strongly suspect that it crashes on the second iteration, since at that point we are asking Apache to read from something that has already returned an error. Looking at the code, I think we also need to put an upper bound to the number of bytes that we are willing to read, but I think that belongs in a separate patch. |
| */ | ||
| read_length = ap_get_client_block(r, &(*data)[bytes_read], | ||
| bytes_left); | ||
| if (read_length == 0) { | ||
| // got the EOF | ||
| break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
Hi olavmrk, As I have said, I did not check if the underflow is triggerable. The main fix is to check for the ap_get_client_block() error. For the crash, when ap_get_client_block() returns -1, the loop in mod_auth_mellon will allocate an "infinite" number of empty bucket brigades. On my coredump, you could see that Apache had created approximately 451,000,000 empty brigades before crashing ;-) |
I don't think it can ever happen (
OK, that is good to know. Then this crashes the web server process, but doesn't allow for overwriting arbitrary data. Could you amend your patch with:
|
c09d29d
to
5f03a63
Compare
|
I have updated the patch. Is it OK for you? |
Handle ap_get_client_block() error in am_read_post_data()
|
Yes, thanks! |
Resolves: Uninett#71
Hello,
I had the same segmentation fault as in the issue #48.
Here is a patch that should fix the segfault: am_read_post_data() should check if ap_get_client_block() returns an error.
The patch also fixes a possible underflow in am_read_post_data() if mod_auth_mellon receives too much POST data. I have not checked if it is possible to trigger that underflow.
Regards,
Vincent Rasneur
Software security engineer, DenyAll
vrasneur@denyall.com