Hi
We have found a bug with the strip_eol() function in pound-1.10 with
truncated headers.
The strip_eol() function searches a string for "\n" or "\r\n" and
replaces this with "\0". The Pound-1.10 implementation does not check for
a terminating null character, so if no newline is found in the string it
scans the rest of the memory as well.
All headers include a newline character, so this usually works well.
Headers larger than MAXBUF are however truncated and the newline is lost,
and then pound usually segfaults.
The attached patch fixes this problem by also checking the string passed to
strip_eol() for a terminating null character.
I also added a bunch of "buf[MAXBUF-1] = '\0';" wherever BIO_gets() was
called since I couldn't find any documentation stating that the strings
returned by BIO_gets() was guaranteed to be null terminated.
The patch has now been running for a while in production. No side effects
has been detected, and Pound-1.10 has stopped segfaulting when it receives
requests or headers larger than 2k.
The patch is kept at http://folesvaert.no/pound/patches/
along with my other
Pound-1.10 patches.
Many thanks to Peter Pettersen for hunting down this bug!
Regards
Rune
--
Rune Saetre
rst(at)folesvaert.no
..
|
