Hi,
Someone in our QA team tried the following test:
telnet <host> 80
GET https://whatever.html HTTP/1.0
this resulted in a segfault for the child that handled the request.
Agreed, this is not a normal HTTP request, but firing enough of them
will surely DoS the server.
Our apache runs on Sparc/Solaris8 and 'httpd -l' gives:
Compiled in modules:
core.c
mod_access.c
mod_cache.c
mod_disk_cache.c
mod_deflate.c
mod_jk.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_alias.c
Gdb told me that there was a null ppinter dereference in
ap_cache_get_cache_type when it tried to compare the request's
URL with the prefix from the configuration.
The patch will just return NULL when the URL is NULL and results
in no caching for that request (which seems reasonable since there
ios no URL to cache).
ps: I don't know whether the actual fix of this problem should
be in cache_util.c or somewhere in the URI parsing routines.
--
ir. Kris Verbeeck
Development Engineer
Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
T: +32 16 28 70 64
F: +32 16 28 70 77
Ubizen - We Secure e-business - www.ubizen.com
--- httpd-2.0.40/modules/experimental/cache_util.c Sun Jun 23 08:10:00 2002
+++ httpd-2.0.40-PATCHED/modules/experimental/cache_util.c Mon Aug 26 17:28:37
+2002
@@ -104,6 +104,12 @@
const char *type = NULL;
int i;
+ /* we can't cache if there's no URL
+ * fixes segfault for 'GET https://whatever.html HTTP/1.0' request
+ * on HTTP port (e.g. 80)
+ */
+ if (!url) return NULL;
+
/* loop through all the cacheenable entries */
for (i = 0; i < conf->cacheenable->nelts; i++) {
struct cache_enable *ent =
