Apache 脆弱性 CVE-2011-3192 のメモ
いわゆるApache Killer 関連について。
複数の(大抵は1バイト・インクリメントな)rangeヘッダ要求によるhttpdプロセスサイズ肥大化の主役は
apr_bucket という構造体。
Apache 2.0系の場合、ソースは srclib\apr-util\include\apr_buckets.h にあった。
/**
* apr_bucket structures are allocated on the malloc() heap and
* their lifetime is controlled by the parent apr_bucket_brigade
* structure. Buckets can move from one brigade to another e.g. by
* calling APR_BRIGADE_CONCAT(). In general the data in a bucket has
* the same lifetime as the bucket and is freed when the bucket is
* destroyed; if the data is shared by more than one bucket (e.g.
* after a split) the data is freed when the last bucket goes away.
*/
struct apr_bucket {
/** Links to the rest of the brigade */
APR_RING_ENTRY(apr_bucket) link;
/** The type of bucket. */
const apr_bucket_type_t *type;
/** The length of the data in the bucket. This could have been implemented
* with a function, but this is an optimization, because the most
* common thing to do will be to get the length. If the length is unknown,
* the value of this field will be (apr_size_t)(-1).
*/
apr_size_t length;
/** The start of the data in the bucket relative to the private base
* pointer. The vast majority of bucket types allow a fixed block of
* data to be referenced by multiple buckets, each bucket pointing to
* a different segment of the data. That segment starts at base+start
* and ends at base+start+length.
* If the length == (apr_size_t)(-1), then start == -1.
*/
apr_off_t start;
/** type-dependent data hangs off this pointer */
void *data;
/**
* Pointer to function used to free the bucket. This function should
* always be defined and it should be consistent with the memory
* function used to allocate the bucket. For example, if malloc() is
* used to allocate the bucket, this pointer should point to free().
* @param e Pointer to the bucket being freed
*/
void (*free)(void *e);
/** The freelist from which this bucket was allocated */
apr_bucket_alloc_t *list;
};
参考:
http://www.ipa.go.jp/security/ciadr/vul/20110831-apache.html
http://httpd.apache.org/download.cgi#apache20
http://d.hatena.ne.jp/nice20/20110829/p1
0 件のコメント:
コメントを投稿