Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Invalid
-
None
-
None
Description
If server respond with slightly incorrect output without HTTT Reason in Status-Line serf crashes on parsing it and trying of allocate 2^63 (or 2^31) bytes of memory.
For example respond like this:
"HTTP/1.1 302
Location: ...
....
"
will lead to crash in parse_status_line in serf/instaweb_respond_buckets.
Code in which it crashes is:
/* Skip leading spaces for the reason string. */
if (apr_isspace(*reason))
/* Copy the reason value out of the line buffer. */
ctx->sl.reason = serf_bstrmemdup(allocator, reason,
ctx->linebuf.used
- (reason - ctx->linebuf.line));
In example above it gives me next values:
(gdb) p ctx->linebuf.used
$15 = 12
(gdb) p reason
$16 = 0x7fffdc0d3a35 "Server: nginx\r\nDate: Tue, 24 Jun 2014 06:55:55 GMT\r\nContent-Type: image/gif\r\nContent-Length: 43\r\nLast-Modified: Mon, 28 Sep 1970 06:00:00 GMT\r\nConnection: keep-alive\r\nKeep-Alive: timeout=70\r\nExpires: "...
(gdb) p reason - ctx->linebuf.line
$17 = 13
Which leads to allocating of -1 (2^63) bytes serf_bstrmemdump.
Original issue reported by bacek@bacek.com