The latest version of Axis2/C from Apache is 1.6.0 (http://axis.apache.org/axis2/c/core/download.cgi).
There is a bug in the file src/core/transport/http/server/apache2/apache2_stream.c of this release:
int AXIS2_CALL
apache2_stream_read(
axutil_stream_t * stream,
const axutil_env_t * env,
void *buffer,
size_t count)
{
apache2_stream_impl_t *stream_impl = NULL;
size_t read = 0;
size_t len = 0;
AXIS2_ENV_CHECK(env, AXIS2_CRITICAL_FAILURE);
stream_impl = AXIS2_INTF_TO_IMPL(stream);
while(count - len > 0)
{
read = ap_get_client_block(stream_impl->request, (char *) buffer + len,
count - len);
if(read > 0 && read != 0xFFFFFFFF)
{
len += read;
}
else
{
break;
}
}
return (int)len;
/* We are sure that the difference lies within the int range */
}
At the first highlighted place the variable "read" is declared as a type of size_t. But at the second highlighted place the method ap_get_client_block() can possibly return -1, which will be converted into a big integer when being assigned to "read" as size_t is of unsigned.
To trigger the bug, send the application an HTTP request with a Content-Length having a greater value than the actual size of the content.
A quick fix is to change the type of "read" to ssize_t to allow -1 being legally assigned to it:
ssize_t read = 0;
Saturday, April 27, 2019
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment