https://bz.apache.org/bugzilla/show_bug.cgi?id=63669
Bug ID: 63669
Summary: Incomplete error code check for read_request_line()
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: major
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: lege...@foxmail.com
Target Milestone: ---
at httpd/server/protocol.c around line
static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
{
...
rv = ap_rgetline(&(r->the_request),
(apr_size_t)(r->server->limit_req_line + 2),
&len, r, strict ? AP_GETLINE_CRLF : 0, bb);
if (rv != APR_SUCCESS) {
r->request_time = apr_time_now();
/* ap_rgetline returns APR_ENOSPC if it fills up the
* buffer before finding the end-of-line. This is only going to
* happen if it exceeds the configured limit for a request-line.
*/
if (APR_STATUS_IS_ENOSPC(rv)) {
r->status = HTTP_REQUEST_URI_TOO_LARGE;
}
else if (APR_STATUS_IS_TIMEUP(rv)) {
r->status = HTTP_REQUEST_TIME_OUT;
}
else if (APR_STATUS_IS_EINVAL(rv)) {
r->status = HTTP_BAD_REQUEST;
}
r->proto_num = HTTP_VERSION(1,0);
r->protocol = "HTTP/1.0";
return 0;
}
...
However, the function ap_rgetline() can actually return error codes other than
APR_ENOSPC, APR_TIMEUP, APR_EINVAL. If the input bb is NULL, it can even return
APR_BADARG, and in some cases it returns APR_EGENERAL. These errors are ignored
and HTTP status is not correctly set.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
