OpenSSO: IIS Agent - Cookie name without "=<cookie value>" in Header Causing "Memory Access Violation" Leading to IIS Hang/Crash (Doc ID 1290891.1)

Last updated on SEPTEMBER 21, 2016

Applies to:

Oracle OpenSSO - Version 7.1 to 8.0.2 [Release 7.0 to 8.0]
Generic Windows
- Policy Agent 2.2 for Microsoft Internet Information Services (IIS) 6.0
- Policy Agent 3.0 for Microsoft Internet Information Services (IIS) 7.0 and 7.5
- Any supported web containers for hosting Oracle Opensso Web Policy Agents
- The issue is in any web agents 2.2 and 3.0 version that is PRIOR to web agent release 2.2-05 and web agent release 3.0-02.
This problem was primarily reported, identified and tested on Windows platforms hosting web policy agents 2.2 and 3.0 for IIS6 and IIS7.


Symptoms

When the agent receives a request, with a header that is possibly corrupt, the agent fails to handle the request and causes IIS to crash.
The IIS instance hangs and no longer operates properly, until it is restarted.

A Windows dump file, similar to the following, may occur.

Windows dump file:
Wed Feb 24 07:03:18.038 2010 (GMT+0): (1a80.1bc4): Access violation - code c0000005 (!!! second chance !!!)
---
--- 2nd chance AccessViolation exception ----
---------------------------------------------------------------
 
Occurrence happened at:
Debug session time: Wed Feb 24 07:03:18.038 2010 (GMT+0)
System Uptime: 1 days 20:04:26.648
Process Uptime: 1 days 9:11:31.065
  Kernel time: 0 days 0:13:44.953
  User time: 0 days 0:32:00.218
 
Faulting stack below ---
 # Child-SP          RetAddr           : Args to Child                                                           : Call Site
00 00000000`0191fa10 000007ff`5e432171 : 00000000`00000004 00000000`00000000 00000000`00000000 00000000`0000016f : amiis6!HttpExtensionProc+0x3b1
01 00000000`0191fbd0 000007ff`5e5116f4 : 00000000`01c576d0 00000000`01c567e0 00000000`01c57798 00000000`00000000 : w3isapi!ProcessIsapiRequest+0x191
02 00000000`0191fc60 000007ff`5e4d75ba : 00000000`01c576d0 00000000`01c57798 00000000`01c567e0 00000000`00000000 : w3core!UlW3Start+0x1af64
03 00000000`0191fcf0 000007ff`5e501bc7 : 00000000`00000000 00000000`01c567e0 00000000`00000000 00000000`00000000 : w3core!W3_FILE_INFO_CACHE::GetFileCache+0x1b4a
04 00000000`0191fd60 000007ff`5e51b0c2 : 00000000`00000000 00000000`01c567e0 000007ff`5e550a00 00000000`01c567e0 : w3core!UlW3Start+0xb437
05 00000000`0191fda0 000007ff`5e508536 : 00000000`01c55b60 00000000`00000000 00000000`01c55bc0 00000000`00000000 : w3core!UlW3Start+0x24932
06 00000000`0191fe10 000007ff`5e4815fb : 00000000`01c55b60 00000000`02d53920 00000000`00000001 00000000`00000000 : w3core!UlW3Start+0x11da6
07 00000000`0191fe50 000007ff`5e481538 : 00000000`02d53920 00000000`01c45860 00000000`01c55b60 00000000`00000000 : w3dt+0x15fb
08 00000000`0191fe80 000007ff`5e48148c : 00000000`003274c0 00000000`00000000 00000000`00000001 00000000`00000000 : w3dt+0x1538
09 00000000`0191fec0 000007ff`5e4127e1 : 00000000`003274c0 00000000`00000000 00000000`00000001 00000000`003274c0 : w3dt+0x148c
0a 00000000`0191fef0 000007ff`5e4116eb : 00000000`0031f470 000007ff`5e410000 00000000`0031f470 000007ff`5e411680 : W3TP!THREAD_POOL::PostCompletion+0x101
0b 00000000`0191ff50 00000000`77d6b6da : 00000000`0031f470 00000000`00000000 00000000`00000000 00000000`0191ffa8 : W3TP+0x16eb
0c 00000000`0191ff80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadStart+0x3a
 


This behavior can occur with the 2.2 release of the web policy agent if the version is prior to 2.2-05 (also in any 2.2 ER that is prior to 2.2-04 ER3).

It can also occur with the 3.0 release of the web policy agent if the version is prior to 3.0-02.

 

Changes

A custom application with plug-ins, and which is protected by the web agent for IIS, is inserting additional cookies in the request headers.
The agent cookie, iPlanetDirectoryPro, can be corrupted by these custom-cookies insertions, thus triggering IIS to hang or crash. This behavior is unpredictable and depends on the application runtime flows and its interaction with the agent.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms