From: Bradley Nicholes <bnicholes@apache.org>
Date: Mon, 12 Apr 2004 21:34:18 +0000 (+0000)
Subject: Don't allocation large buffers on the stack to avoid over-running a fixed length... 
X-Git-Tag: 2.0.50~206
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c8403fffb71f3428f16d9332470302fdfcb3b7e9;p=thirdparty%2Fapache%2Fhttpd.git

Don't allocation large buffers on the stack to avoid over-running a fixed length stack when ap_build_cont_config() is called recursively (ie. nested <IfDefine> blocks).

Reviewed by: bnicholes, nd, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103373 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 64c5133c5e4..bee02761ba3 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2004/04/12 21:26:25 $]
+Last modified at [$Date: 2004/04/12 21:34:18 $]
 
 Release:
 
@@ -115,13 +115,6 @@ PATCHES TO BACKPORT FROM 2.1
          http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.272&r2=1.273
        +1: nd (geoff)
 
-    *) Nested <IfDefine> blocks will cause ap_build_cont_config()
-       to be called recursively. Allocate the temporary 8k 
-       string buffer from the temp_pool rather than the stack to 
-       avoid over-running a fixed length stack.
-         server/config.c: r1.174
-       +1: bnicholes, nd, trawick
-
     *) Fix segfault in mod_expires. PR 28047
          modules/metadata/mod_expires.c: r1.54
        +1: nd, bnicholes, trawick
diff --git a/server/config.c b/server/config.c
index b99776a059a..1ff94d54f57 100644
--- a/server/config.c
+++ b/server/config.c
@@ -985,11 +985,17 @@ AP_DECLARE(const char *) ap_build_cont_config(apr_pool_t *p,
                                               ap_directive_t **curr_parent,
                                               char *orig_directive)
 {
-    char l[MAX_STRING_LEN];
+    char *l;
     char *bracket;
     const char *retval;
     ap_directive_t *sub_tree = NULL;
 
+    /* Since this function can be called recursively, allocate
+     * the temporary 8k string buffer from the temp_pool rather 
+     * than the stack to avoid over-running a fixed length stack.
+     */
+    l = apr_palloc(temp_pool, MAX_STRING_LEN);
+
     bracket = apr_pstrcat(p, orig_directive + 1, ">", NULL);
     while (!(ap_cfg_getline(l, MAX_STRING_LEN, parms->config_file))) {
         if (!memcmp(l, "</", 2)