Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4782

Using (const char*)1 in Apache HTTP server modules as value for r->notes cause httpd to crash

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9.x, trunk, 1.10.x, 1.11.x
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      All environments

      Description

      mod_authz_svn.c and mod_dav_svn.c add keys to r->notes to memorize boolean states (FORCE_AUTHN_NOTE, IN_SOME_AUTHN_NOTE, authz_svn-anon-ok, NO_MAP_TO_STORAGE_NOTE). They use (const char*)1 as values for the keys. This causes any call to apr_table_clone for r->notes to crash with a SEGFAULT, because (const char*)1 is an invalid address. mod_http2 in httpd calls apr_table_clone for r->notes and hence the httpd process crashes. The attached patch (against trunk) replaces the value of  (const char*)1 in these cases with a value of "1".

        Attachments

        1. notes_fix.diff
          2 kB
          Ruediger Pluem

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              rpluem@apache.org Ruediger Pluem
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: