apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r800730 - in /apr/apr/trunk: CHANGES memory/unix/apr_pools.c util-misc/apr_rmm.c
Date Tue, 04 Aug 2009 11:33:08 GMT
Author: wrowe
Date: Tue Aug  4 11:33:08 2009
New Revision: 800730

URL: http://svn.apache.org/viewvc?rev=800730&view=rev
Log:
SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in pools and rmm, where size alignment was taking place.

Reported by: Matt Lewis <mattlewis@google.com>

* CHANGES
  Add entry for CVE-2009-2412.
* memory/unix/apr_pools.c
  (allocator_alloc, apr_palloc): Check for overflow after aligning size.
  (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
* util-misc/apr_rmm.c
  (apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
 

Submitted by: Matt Lewis <mattlewis@google.com>, Sander Striker

Modified:
    apr/apr/trunk/CHANGES
    apr/apr/trunk/memory/unix/apr_pools.c
    apr/apr/trunk/util-misc/apr_rmm.c

Modified: apr/apr/trunk/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr/trunk/CHANGES?rev=800730&r1=800729&r2=800730&view=diff
==============================================================================
--- apr/apr/trunk/CHANGES [utf-8] (original)
+++ apr/apr/trunk/CHANGES [utf-8] Tue Aug  4 11:33:08 2009
@@ -1,6 +1,10 @@
                                                      -*- coding: utf-8 -*-
 Changes for APR 2.0.0
 
+  *) SECURITY: CVE-2009-2412 (cve.mitre.org)
+     Fix overflow in pools and rmm, where size alignment was taking place.
+     [Matt Lewis <mattlewis@google.com>, Sander Striker]
+
   *) Pass default environment to testflock, testoc and testpipe children,
      so that tests run when APR is compiled with Intel C Compiler.
      [Bojan Smojver]

Modified: apr/apr/trunk/memory/unix/apr_pools.c
URL: http://svn.apache.org/viewvc/apr/apr/trunk/memory/unix/apr_pools.c?rev=800730&r1=800729&r2=800730&view=diff
==============================================================================
--- apr/apr/trunk/memory/unix/apr_pools.c (original)
+++ apr/apr/trunk/memory/unix/apr_pools.c Tue Aug  4 11:33:08 2009
@@ -191,16 +191,19 @@
 }
 
 static APR_INLINE
-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size)
+apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
 {
     apr_memnode_t *node, **ref;
     apr_uint32_t max_index;
-    apr_size_t i, index;
+    apr_size_t size, i, index;
 
     /* Round up the block size to the next boundary, but always
      * allocate at least a certain size (MIN_ALLOC).
      */
-    size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
+    size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
+    if (size < in_size) {
+        return NULL;
+    }
     if (size < MIN_ALLOC)
         size = MIN_ALLOC;
 
@@ -628,13 +631,19 @@
  * Memory allocation
  */
 
-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
+APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
 {
     apr_memnode_t *active, *node;
     void *mem;
-    apr_size_t free_index;
+    apr_size_t size, free_index;
 
-    size = APR_ALIGN_DEFAULT(size);
+    size = APR_ALIGN_DEFAULT(in_size);
+    if (size < in_size) {
+        if (pool->abort_fn)
+            pool->abort_fn(APR_ENOMEM);
+
+        return NULL;
+    }
     active = pool->active;
 
     /* If the active node has enough bytes left, use it. */
@@ -699,7 +708,6 @@
 {
     void *mem;
 
-    size = APR_ALIGN_DEFAULT(size);
     if ((mem = apr_palloc(pool, size)) != NULL) {
         memset(mem, 0, size);
     }

Modified: apr/apr/trunk/util-misc/apr_rmm.c
URL: http://svn.apache.org/viewvc/apr/apr/trunk/util-misc/apr_rmm.c?rev=800730&r1=800729&r2=800730&view=diff
==============================================================================
--- apr/apr/trunk/util-misc/apr_rmm.c (original)
+++ apr/apr/trunk/util-misc/apr_rmm.c Tue Aug  4 11:33:08 2009
@@ -306,13 +306,17 @@
 
 APR_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
     
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
@@ -325,18 +329,22 @@
 
 APR_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
         
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
         this += RMM_BLOCK_SIZE;
-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
+        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
     }
 
     APR_ANYLOCK_UNLOCK(&rmm->lock);
@@ -349,16 +357,19 @@
     apr_rmm_off_t this;
     apr_rmm_off_t old;
     struct rmm_block_t *blk;
-    apr_size_t oldsize;
+    apr_size_t size, oldsize;
 
     if (!entity) {
         return apr_rmm_malloc(rmm, reqsize);
     }
 
-    reqsize = APR_ALIGN_DEFAULT(reqsize);
+    size = APR_ALIGN_DEFAULT(reqsize);
+    if (size < reqsize) {
+        return 0;
+    }
     old = apr_rmm_offset_get(rmm, entity);
 
-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
+    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
         return 0;
     }
 
@@ -366,7 +377,7 @@
     oldsize = blk->size;
 
     memcpy(apr_rmm_addr_get(rmm, this),
-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
+           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
     apr_rmm_free(rmm, old);
 
     return this;



Mime
View raw message