Apache 脆弱性 CVE-2011-3192 のメモ
いわゆるApache Killer 関連について。
複数の(大抵は1バイト・インクリメントな)rangeヘッダ要求によるhttpdプロセスサイズ肥大化の主役は
apr_bucket という構造体。
Apache 2.0系の場合、ソースは srclib\apr-util\include\apr_buckets.h にあった。
/** * apr_bucket structures are allocated on the malloc() heap and * their lifetime is controlled by the parent apr_bucket_brigade * structure. Buckets can move from one brigade to another e.g. by * calling APR_BRIGADE_CONCAT(). In general the data in a bucket has * the same lifetime as the bucket and is freed when the bucket is * destroyed; if the data is shared by more than one bucket (e.g. * after a split) the data is freed when the last bucket goes away. */ struct apr_bucket { /** Links to the rest of the brigade */ APR_RING_ENTRY(apr_bucket) link; /** The type of bucket. */ const apr_bucket_type_t *type; /** The length of the data in the bucket. This could have been implemented * with a function, but this is an optimization, because the most * common thing to do will be to get the length. If the length is unknown, * the value of this field will be (apr_size_t)(-1). */ apr_size_t length; /** The start of the data in the bucket relative to the private base * pointer. The vast majority of bucket types allow a fixed block of * data to be referenced by multiple buckets, each bucket pointing to * a different segment of the data. That segment starts at base+start * and ends at base+start+length. * If the length == (apr_size_t)(-1), then start == -1. */ apr_off_t start; /** type-dependent data hangs off this pointer */ void *data; /** * Pointer to function used to free the bucket. This function should * always be defined and it should be consistent with the memory * function used to allocate the bucket. For example, if malloc() is * used to allocate the bucket, this pointer should point to free(). * @param e Pointer to the bucket being freed */ void (*free)(void *e); /** The freelist from which this bucket was allocated */ apr_bucket_alloc_t *list; };
参考:
http://www.ipa.go.jp/security/ciadr/vul/20110831-apache.html
http://httpd.apache.org/download.cgi#apache20
http://d.hatena.ne.jp/nice20/20110829/p1
0 件のコメント:
コメントを投稿