Re: Buffer overflow in apr_brigade_vprintf() ?

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Fri, 24 Apr 2009 17:06:07 -0400

C. Michael Pilato wrote:
> [Please Cc: me in responses -- I think I still have APR commit privs, but
> I'm not active here and not subscribed to the mailing lists.]
>
> In the past couple of weeks, I've seen two different reports of what appears
> to be corruption in the stream of data transmitted by Subversion's
> mod_dav_svn through Apache and back to the Subversion client. What is seen
> client-side is an opening XML tag, a truncated bit of CDATA "inside" the
> tag, and then a missing XML closing tag. The problem seems to occur with
> magically sized chunks of data, so it can be hard to reproduce[1].

[...]

Just to bring this to closure, the bug was fixed by committing the removal
of the code that tacks the NULL byte onto a possibly-already-full buffer:

http://svn.apache.org/viewvc?view=rev&revision=768417

(Thanks, Ruediger and Jeff!)

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1897748

application/pgp-signature attachment: OpenPGP digital signature

Received on 2009-04-24 23:06:25 CEST

This message: [ Message body ]
Next message: C. Michael Pilato: "Re: svnsync and large property changes"
Previous message: Paul Burba: "Re: [PATCH] Use subprocess in gen_win.py"
In reply to: C. Michael Pilato: "Buffer overflow in apr_brigade_vprintf() ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]