[Bug 69404] New: htdbm poor user check leading to NullDereference

Fri, 18 Oct 2024 04:32:20 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69404

            Bug ID: 69404
           Summary: htdbm poor user check leading to NullDereference
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: support
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 39912
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=39912&action=edit
htdbm failure test cases with stack traces

htdbm sagfaults with specific parametrs.

Steps to reproduce:

1. Built with:
$ export CC="clang-17"
$ export CXX="clang++-17"
$ export CFLAGS="-pipe -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -fsanitize=address,undefined"
$ export UBSAN_OPTIONS=print_stacktrace=1
$ svn co http://svn.apache.org/repos/asf/apr/apr/trunk srclib/apr
$ <some buildconf calls>
$ ./configure --with-included-apr  --host=x86_64-linux-gnu
--build=x86_64-linux-gnu   --enable-layout=Debian --enable-so
--with-program-name=apache2  --enable-suexec --with-suexec-caller=www-data     
   --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www    
   --with-suexec-userdir=public_html
--with-suexec-logfile=/var/log/apache2/suexec.log   --with-suexec-uidmin=100
--enable-suexec=shared --enable-log-config=static        
--with-pcre=/usr/bin/pcre2-config       --enable-pie   
--enable-mpms-shared=all --with-mpm=prefork --enable-mods-shared="all brotli
cgi ident authnz_fcgi imagemap cern_meta proxy_fdpass proxy_http2 bucketeer
case_filter case_filter_in" --enable-mods-static="unixd logio watchdog version"
$ make

2. Find all testcases in attachment (with stacktraces).

Option -l sets variable need_user = 0, since then we don't call
htdbm_valid_username to check if we have a correct username in struct htdbm_t
*h. This leads to NullDereference bugs in different functions.

In my opinion, we should somehow patch this thing.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to