Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
1.6.0
-
None
-
RHEL Linux 4.3. Axis2/c 1.6.0
Description
Here is the http headers from the response from the web service (get from tcpmon):
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2010 18:47:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: pabca=E1805E180758BC35D93575A3597546AFD230A7607FA5BAE50040E84E5D45EB45732A0F11E079EE9233258616347A96DA23EE87A42A999CE55679596A4C2E7505CEC45630684815FB399246F720B76DC12DC52D9AE57ECD329F1BD0D10F09B284280733B6C21213053E1E4E6974668B77B0EFE7FFFB39F51F4A4F02ED6C2BA46531BAF3412E667076A5D677A933D6FE9EDD37488867D7CD5D9E0FA205E62002BE3E0818427A07EE8A52A99DF0605DC9AF0C93A1610285E65CF59397F6A06959C48CB83268E2BDC3DA1578D1082F4578A9A4B594F58FB41596F108E5D486C2B1E9DBA3F9E; domain=somecompany.com; path=/; HttpOnly
Cache-Control: private, max-age=0
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 899
Beause the header: "Set-Cookie" is too long (it has 516 chars), so pasring this line in "core/transport/http/sender/http_client.c" line 623(see below), axis2/c enters an infinite loop because it cannot find the end of line. The client never finishes because of this infinite loop.
/* now read the headers */
memset(str_header, 0, 512);
end_of_line = AXIS2_FALSE;
while (AXIS2_FALSE == end_of_headers)
{
while ((read = axutil_stream_read(client->data_stream, env, tmp_buf,
1)) > 0)
{
tmp_buf[read] = '\0';
strcat(str_header, tmp_buf);
if (0 != strstr(str_header, AXIS2_HTTP_CRLF)) /* !!! never true !!!*/
}
if (AXIS2_TRUE == end_of_line)
{
if (0 == axutil_strcmp(str_header, AXIS2_HTTP_CRLF))
else
{
axis2_http_header_t *tmp_header =
axis2_http_header_create_by_str(env, str_header);
memset(str_header, 0, 512);
if (tmp_header)
}
}
end_of_line = AXIS2_FALSE;
}
axis2_http_simple_response_set_body_stream(client->response, env,
client->data_stream);
Attachments
Issue Links
- duplicates
-
AXIS2C-1415 Buffer overrun in axis2_http_client_recieve_header when receiving a HTTP header field larger than 512 bytes in length.
- Closed
- relates to
-
AXIS2C-1661 vulnerability : buffer overflow in axis2/c http client
- Closed