Saturday, April 27, 2019

A bug in Apache's Axis2/C

The latest version of Axis2/C from Apache is 1.6.0 (

There is a bug in the file src/core/transport/http/server/apache2/apache2_stream.c of this release:

    axutil_stream_t * stream,
    const axutil_env_t * env,
    void *buffer,
    size_t count)
    apache2_stream_impl_t *stream_impl = NULL;
    size_t read = 0;
    size_t len = 0;


    stream_impl = AXIS2_INTF_TO_IMPL(stream);

    while(count - len > 0)
        read = ap_get_client_block(stream_impl->request, (char *) buffer + len,
                                   count - len);
        if(read > 0 && read != 0xFFFFFFFF)
            len += read;

    return (int)len;
    /* We are sure that the difference lies within the int range */

At the first highlighted place the variable "read" is declared as a type of size_t. But at the second highlighted place the method ap_get_client_block() can possibly return -1, which will be converted into a big integer when being assigned to "read" as size_t is of unsigned.

To trigger the bug, send the application an HTTP request with a Content-Length having a greater value than the actual size of the content.

A quick fix is to change the type of "read" to ssize_t to allow -1 being legally assigned to it:

    ssize_t read = 0; 

No comments:

Get This <