Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4782

Using (const char*)1 in Apache HTTP server modules as value for r->notes cause httpd to crash

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.9.x, trunk, 1.10.x, 1.11.x
    • 1.14.0
    • None
    • All environments

    Description

      mod_authz_svn.c and mod_dav_svn.c add keys to r->notes to memorize boolean states (FORCE_AUTHN_NOTE, IN_SOME_AUTHN_NOTE, authz_svn-anon-ok, NO_MAP_TO_STORAGE_NOTE). They use (const char*)1 as values for the keys. This causes any call to apr_table_clone for r->notes to crash with a SEGFAULT, because (const char*)1 is an invalid address. mod_http2 in httpd calls apr_table_clone for r->notes and hence the httpd process crashes. The attached patch (against trunk) replaces the value of  (const char*)1 in these cases with a value of "1".

      Attachments

        1. notes_fix.diff
          2 kB
          Ruediger Pluem

        Activity

          People

            Unassigned Unassigned
            rpluem Ruediger Pluem
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: