FIX: Access Violation in MFC ISAPI with Large Query String (216562)


The information in this article applies to:

  • Microsoft Visual C++, 32-bit Enterprise Edition 5.0
  • Microsoft Visual C++, 32-bit Enterprise Edition 6.0
  • Microsoft Visual C++, 32-bit Professional Edition 5.0
  • Microsoft Visual C++, 32-bit Professional Edition 6.0
  • Microsoft Visual C++, 32-bit Learning Edition 6.0
This article was previously published under Q216562

SYMPTOMS

An access violation occurs when an ISAPI extension receives a query string that is more than 256 characters and there is a problem calling the appropiate parse function.

CAUSE

The problem is caused by the CHttpServer::OnParseError implementation in the Isapi.cpp MFC source file. The following code is from Visual C++ 5.0 SP 3 Line 526-527: 
wsprintf(szFormat, szBuffer, pszObject); 
*pCtxt << szFormat;<BR/>
pszObject points to the query string used to invoke ISAPI DLL and szFormat is declared as follows: 
TCHAR szFormat[256];
Therefore, any query string larger then 256 - strlen (szBuffer) will cause a stack corruption. It can potentialy write over the pCtxt pointer. Following the wsprintf, the execution of the "<<" operation will call the modified address of the pCtxt pointer and may cause an access violation.

Visual C++ 6.0 has a similar problem in Line 707 of Isapi.cpp.

RESOLUTION

This problem is resolved in Visual Studio 6.0 Service Pack 3 (SP3). To fix ISAPIs created using earlier versions of Visual C++, just rebuild using Visual C++ 6.0 SP3 or later.

To obtain the latest Visual Studio Service Pack, see the following Web site:

http://msdn.microsoft.com/vstudio/downloads/updates/

A simple workaround is to overwrite virtual CHttpServer::OnParseError. The following code could be used: 
BOOL CMfcBugExtension::OnParseError( CHttpServerContext* pCtxt,int nCause )
{
    ISAPITRACE ("Calling OnParseError\n");
    if (
         (pCtxt->m_pECB->lpszPathInfo != NULL && 
         strlen(pCtxt->m_pECB->lpszPathInfo) > 200) ||
         (pCtxt->m_pECB->lpszQueryString != NULL && 
         strlen(pCtxt->m_pECB->lpszQueryString) > 200)
       )
    {
        pCtxt->Reset();
        StartContent(pCtxt);
        WriteTitle (pCtxt);
        *pCtxt << "Parsing error occured!!!";
        EndContent(pCtxt);
        return TRUE;
    }
    else
        return CHttpServer::OnParseError ( pCtxt, nCause );
}

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Visual C++ 6.0 Service Pack 3.

MORE INFORMATION

Steps to Reproduce Behavior

  1. Use the MFC Wizard to create an ISAPI project.
  2. Without making any modifications, invoke ISAPI like this:
    http://server/scripts/crash.dll?aaaaa?a ... (200-300 a's) ... aaaa"

REFERENCES

Visual C Online documentation for CHttpServer::OnParseError
Modification Type:MajorLast Reviewed:1/26/2006
Keywords:kbbug kbfix KB216562
©2004 Microsoft Corporation. All rights reserved.