Vigil@nce - APR-util: denial of service via apr_brigade_split_line
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use data containing several objects, in order to
create a denial of service in applications using the APR-util
apr_brigade_split_line() function.
Severity: 2/4
Creation date: 04/10/2010
DESCRIPTION OF THE VULNERABILITY
The APR-util library processes the following objects:
– bucket: an abstract storage area (memory, file, etc.).
– brigade: a chained list of buckets
The apr_brigade_split_line() function splits in two the first
bucket (located in a brigade) containing a line feed. In order to
do so, this function goes through the brigade, and searches a line
feed in each bucket. If the bucket does not contain a line feed,
it should be only added. However, due to a coding error, the full
chained list is added. The brigade resulting from the call to
apr_brigade_split_line() thus rapidely becomes very big (as long
as no line feed is found).
An attacker can therefore use data containing several objects, in
order to create a denial of service in applications using the
APR-util apr_brigade_split_line() function.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/APR-util-denial-of-service-via-apr-brigade-split-line-9993