Buffer overflow in mod_manager when request's JVMRoute or configured ManagerBalancerName is too long
Issue
- When a request provides a JVMRoute over 80 characters long, we see a buffer overflow causing a crash in mod_manager
- When we configure a ManagerBalancerName setting over 80 characters long, we see a buffer overflow causing a crash in mod_manager when JBoss sends a CONFIG mcmp
- How do I resolve CVE-2016-4459 ?
- httpd crashed and the backtrace shows the following:
#0 0x00007f5c4dfeb925 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f5c4dfed105 in abort () at abort.c:92 #2 0x00007f5c4e029837 in __libc_message (do_abort=2, fmt=0x7f5c4e110930 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198 #3 0x00007f5c4e0bb827 in __fortify_fail (msg=0x7f5c4e1108d6 "buffer overflow detected") at fortify_fail.c:32 #4 0x00007f5c4e0b9710 in __chk_fail () at chk_fail.c:29 #5 0x00007f5c44e18691 in strcpy (s=0x7f5c51d15ba8, node=0x7f5c1d5cdad0, route=<value optimized out>) at /usr/include/bits/string3.h:105 #6 find_node (s=0x7f5c51d15ba8, node=0x7f5c1d5cdad0, route=<value optimized out>) at node.c:227 #7 0x00007f5c44c07f67 in find_nodedomain (r=0x7f58ec082478, conf=0x7f5c51d9ffa0, vhost_table=0x7f5c1d5cdc10, context_table=0x7f5c1d5cdbf0, balancer_table=0x7f5c1d5cdbd0, node_table=0x7f5c1d5cdbb0) at mod_proxy_cluster.c:2733 #8 get_route_balancer (r=0x7f58ec082478, conf=0x7f5c51d9ffa0, vhost_table=0x7f5c1d5cdc10, context_table=0x7f5c1d5cdbf0, balancer_table=0x7f5c1d5cdbd0, node_table=0x7f5c1d5cdbb0) at mod_proxy_cluster.c:2822 #9 0x00007f5c44c0905b in proxy_cluster_trans (r=0x7f58ec082478) at mod_proxy_cluster.c:2980
Environment
- JBoss Enterprise Application Platform (EAP) 6.x
- Apache httpd
- mod_cluster 1.2.11 and earlier
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.