This patch fixes an instance of undefined behavior in mod_http2 with
LogLevel >= trace2.
Please see the h2_h2_process_conn() function in h2_h2.c:631. The
call to ap_log_cerror() passes a pointer to a non-null terminated buffer
while specifying %s in the format string. This causes an out-of-bounds
access, and the behavior is undefined:
h2_h2.c(631): [client 127.0.0.1:22398] h2_h2, not detected in 24
bytes: GET /Azimuthal_equidista\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd
\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd...
I attached the patch with a fix for this issue.
Regards,
Evgeny Kotkov
Index: modules/http2/h2_h2.c
===================================================================
--- modules/http2/h2_h2.c (revision 1747688)
+++ modules/http2/h2_h2.c (working copy)
@@ -629,8 +629,8 @@ int h2_h2_process_conn(conn_rec* c)
}
else {
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
- "h2_h2, not detected in %d bytes: %s",
- (int)slen, s);
+ "h2_h2, not detected in %d bytes: %.*s",
+ (int)slen, (int)slen, s);
}
apr_brigade_destroy(temp);
