Saturday, April 27, 2019

A bug in Apache's Axis2/C


The latest version of Axis2/C from Apache is 1.6.0 (http://axis.apache.org/axis2/c/core/download.cgi).

There is a bug in the file src/core/transport/http/server/apache2/apache2_stream.c of this release:

int AXIS2_CALL
apache2_stream_read(
    axutil_stream_t * stream,
    const axutil_env_t * env,
    void *buffer,
    size_t count)
{
    apache2_stream_impl_t *stream_impl = NULL;
    size_t read = 0;
    size_t len = 0;

    AXIS2_ENV_CHECK(env, AXIS2_CRITICAL_FAILURE);

    stream_impl = AXIS2_INTF_TO_IMPL(stream);

    while(count - len > 0)
    {
        read = ap_get_client_block(stream_impl->request, (char *) buffer + len,
                                   count - len);
        if(read > 0 && read != 0xFFFFFFFF)
        {
            len += read;
        }
        else
        {
            break;
        }
    }

    return (int)len;
    /* We are sure that the difference lies within the int range */
}


At the first highlighted place the variable "read" is declared as a type of size_t. But at the second highlighted place the method ap_get_client_block() can possibly return -1, which will be converted into a big integer when being assigned to "read" as size_t is of unsigned.

To trigger the bug, send the application an HTTP request with a Content-Length having a greater value than the actual size of the content.

A quick fix is to change the type of "read" to ssize_t to allow -1 being legally assigned to it:

    ssize_t read = 0; 



No comments:

 
Get This <