Mailing List Archive

[Bug 64297] New: mod_md uninitialized variable

Bug ID: 64297
Summary: mod_md uninitialized variable
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P2
Component: mod_md
Target Milestone: ---

When auditing httpd I caught this bug,
static apr_status_t inspect_problem(md_acme_req_t *req, const
md_http_response_t *res)
const char *ctype;
md_json_t *problem; (1)

ctype = apr_table_get(req->resp_hdrs, "content-type");
if (ctype && !strcmp(ctype, "application/problem+json")) {
/* RFC 7807 */
md_json_read_http(&problem, req->p, res); (2)
if (problem) { (3)
const char *ptype, *pdetail;

apr_status_t md_json_read_http(md_json_t **pjson, apr_pool_t *pool, const
md_http_response_t *res)
apr_status_t rv = APR_ENOENT;
const char *ctype = apr_table_get(res->headers, "content-type");
if (ctype && res->body (4) && (strstr(ctype, "/json") || strstr(ctype,
"+json"))) {
rv = md_json_readb(pjson, pool, res->body);
return rv;
Variable problem uninitialized at (1) and pass as a pointer to
md_json_read_http at (2), if res->body is null at (4) it will return APR_ENOENT
without init pjson( or problem ).
At (3) use [problem] without any check on return value of md_json_read_http so
[problem] never get init.

It look like if attacker can control authority server he can exploit this bug.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail: