Microsoft KB Archive/216562

= FIX: Access Violation in MFC ISAPI with Large Query String =

Article ID: 216562

Article Last Modified on 8/7/2007

-

APPLIES TO


 * Microsoft Visual C++ 5.0 Enterprise Edition
 * Microsoft Visual C++ 6.0 Enterprise Edition
 * Microsoft Visual C++ 5.0 Professional Edition
 * Microsoft Visual C++ 6.0 Professional Edition
 * Microsoft Visual C++ 6.0 Standard Edition

-



This article was previously published under Q216562



SYMPTOMS
An access violation occurs when an ISAPI extension receives a query string that is more than 256 characters and there is a problem calling the appropiate parse function.



CAUSE
The problem is caused by the CHttpServer::OnParseError implementation in the Isapi.cpp MFC source file. The following code is from Visual C++ 5.0 SP 3 Line 526-527: wsprintf(szFormat, szBuffer, pszObject); pszObject points to the query string used to invoke ISAPI DLL and szFormat is declared as follows: TCHAR szFormat[256]; Therefore, any query string larger then 256 - strlen (szBuffer) will cause a stack corruption. It can potentialy write over the pCtxt pointer. Following the wsprintf, the execution of the "<<" operation will call the modified address of the pCtxt pointer and may cause an access violation.
 * pCtxt << szFormat;

Visual C++ 6.0 has a similar problem in Line 707 of Isapi.cpp.



RESOLUTION
This problem is resolved in Visual Studio 6.0 Service Pack 3 (SP3). To fix ISAPIs created using earlier versions of Visual C++, just rebuild using Visual C++ 6.0 SP3 or later.

To obtain the latest Visual Studio Service Pack, see the following Web site:

http://msdn2.microsoft.com/en-us/vstudio/Aa718353.aspx

A simple workaround is to overwrite virtual CHttpServer::OnParseError. The following code could be used: BOOL CMfcBugExtension::OnParseError( CHttpServerContext* pCtxt,int nCause ) {   ISAPITRACE ("Calling OnParseError\n"); if (        (pCtxt->m_pECB->lpszPathInfo != NULL && strlen(pCtxt->m_pECB->lpszPathInfo) > 200) ||        (pCtxt->m_pECB->lpszQueryString != NULL && strlen(pCtxt->m_pECB->lpszQueryString) > 200)      ) {       pCtxt->Reset; StartContent(pCtxt); WriteTitle (pCtxt); *pCtxt << "Parsing error occured!!!"; EndContent(pCtxt); return TRUE; }   else return CHttpServer::OnParseError ( pCtxt, nCause ); }



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Visual C++ 6.0 Service Pack 3.



Steps to Reproduce Behavior
 Use the MFC Wizard to create an ISAPI project.  Without making any modifications, invoke ISAPI like this: http://server/scripts/crash.dll?aaaaa?a ... (200-300 a's) ... aaaa"                   

