Project

General

Profile

Actions

Bug #1900

closed

wrong format when long request size

Added by stepancheg about 15 years ago. Updated about 15 years ago.

Status:
Fixed
Priority:
High
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

===
diff r 48f3f2b6cb81 src/request.c
--
a/src/request.c Sun Feb 15 16:52:40 2009 0300
++ b/src/request.c Sun Feb 15 23:24:29 2009 +0300
@ -656,7 +656,7 @
con->http_status = 413;
con->keep_alive = 0;

- log_error_write(srv, FILE, LINE, "sds",
+ log_error_write(srv, FILE, LINE, "sos",
"request-size too long:", con->request.content_length, "-> 413");
return 0;
} ===

On 32-bit hosts, this causes "-> 413" is not printed if file size is below 2G, and causes bad things if above 2G. Probably, this is security vunerability.

Actions #1

Updated by stepancheg about 15 years ago

diff -r 48f3f2b6cb81 src/request.c
--- a/src/request.c    Sun Feb 15 16:52:40 2009 +0300
+++ b/src/request.c    Sun Feb 15 23:24:29 2009 +0300
@@ -656,7 +656,7 @@
             con->http_status = 413;
             con->keep_alive = 0;

-            log_error_write(srv, __FILE__, __LINE__, "sds",
+            log_error_write(srv, __FILE__, __LINE__, "sos",
                     "request-size too long:", con->request.content_length, "-> 413");
             return 0;
         }
Actions #2

Updated by stbuehler about 15 years ago

Yes, this looks like a bug. But I couldn't reproduce any segfault or wrong error message with 1.5 or 1.4 on 32-bit and 64-bit hosts.

Do you have a backtrace/real examples?

Actions #3

Updated by stepancheg about 15 years ago

I haven't tried to reproduce SEGV, but I reproduced wrong message. Before patch it was:

2009-02-15 23:01:42: (request.c.659) request-size too long: 1467124824

after patch:

2009-02-15 23:56:25: (request.c.659) request-size too long: 1467124801 -> 413

What is sizeof(long) on your 32-bit host? It must be 32 to reproduce problem.

Actions #4

Updated by stepancheg about 15 years ago

I was wrong about SEGV:

            if (r > SSIZE_MAX) {
                con->http_status = 413;

                ERROR("request-size too long: %s (Status: 413)", SAFE_BUF_STR(ds->value));

                return 0;
            }

checked before. Real problem only in diag message.

Actions #5

Updated by stbuehler about 15 years ago

  • Subject changed from wrong format when long request size (SEGV) to wrong format when long request size
Actions #6

Updated by stbuehler about 15 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2395.

Actions

Also available in: Atom