## 9.04.2011

### Apache: CVE-2011-3192 httpd: multiple ranges DoS

Apache 脆弱性 CVE-2011-3192 のメモ

いわゆるApache Killer 関連について。

apr_bucket という構造体。

Apache 2.0系の場合、ソースは srclib\apr-util\include\apr_buckets.h にあった。

/**
* apr_bucket structures are allocated on the malloc() heap and
* structure. Buckets can move from one brigade to another e.g. by
* calling APR_BRIGADE_CONCAT(). In general the data in a bucket has
* the same lifetime as the bucket and is freed when the bucket is
* destroyed; if the data is shared by more than one bucket (e.g.
* after a split) the data is freed when the last bucket goes away.
*/
struct apr_bucket {
/** The type of bucket.  */
const apr_bucket_type_t *type;
/** The length of the data in the bucket.  This could have been implemented
*  with a function, but this is an optimization, because the most
*  common thing to do will be to get the length.  If the length is unknown,
*  the value of this field will be (apr_size_t)(-1).
*/
apr_size_t length;
/** The start of the data in the bucket relative to the private base
*  pointer.  The vast majority of bucket types allow a fixed block of
*  data to be referenced by multiple buckets, each bucket pointing to
*  a different segment of the data.  That segment starts at base+start
*  and ends at base+start+length.
*  If the length == (apr_size_t)(-1), then start == -1.
*/
apr_off_t start;
/** type-dependent data hangs off this pointer */
void *data;
/**
* Pointer to function used to free the bucket. This function should
* always be defined and it should be consistent with the memory
* function used to allocate the bucket. For example, if malloc() is
* used to allocate the bucket, this pointer should point to free().
* @param e Pointer to the bucket being freed
*/
void (*free)(void *e);
/** The freelist from which this bucket was allocated */
apr_bucket_alloc_t *list;
};