Mailing List Archive

[Bug 64297] New: mod_md uninitialized variable
https://bz.apache.org/bugzilla/show_bug.cgi?id=64297

Bug ID: 64297
Summary: mod_md uninitialized variable
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: mod_md
Assignee: bugs@httpd.apache.org
Reporter: toan.sec@gmail.com
Target Milestone: ---

Hi,
When auditing httpd I caught this bug,
https://github.com/apache/httpd/blob/trunk/modules/md/md_acme.c#L170
static apr_status_t inspect_problem(md_acme_req_t *req, const
md_http_response_t *res)
{
const char *ctype;
md_json_t *problem; (1)

ctype = apr_table_get(req->resp_hdrs, "content-type");
if (ctype && !strcmp(ctype, "application/problem+json")) {
/* RFC 7807 */
md_json_read_http(&problem, req->p, res); (2)
if (problem) { (3)
const char *ptype, *pdetail;


----
https://github.com/apache/httpd/blob/trunk/modules/md/md_json.c#L1160
apr_status_t md_json_read_http(md_json_t **pjson, apr_pool_t *pool, const
md_http_response_t *res)
{
apr_status_t rv = APR_ENOENT;
const char *ctype = apr_table_get(res->headers, "content-type");
if (ctype && res->body (4) && (strstr(ctype, "/json") || strstr(ctype,
"+json"))) {
rv = md_json_readb(pjson, pool, res->body);
}
return rv;
Variable problem uninitialized at (1) and pass as a pointer to
md_json_read_http at (2), if res->body is null at (4) it will return APR_ENOENT
without init pjson( or problem ).
At (3) use [problem] without any check on return value of md_json_read_http so
[problem] never get init.


It look like if attacker can control authority server he can exploit this bug.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org