apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1003495 - in /apr/apr-util/branches/0.9.x: CHANGES buckets/apr_brigade.c
Date Fri, 01 Oct 2010 11:43:50 GMT
Author: trawick
Date: Fri Oct  1 11:43:50 2010
New Revision: 1003495

URL: http://svn.apache.org/viewvc?rev=1003495&view=rev
Log:
Merge r1003491 from trunk:

SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().

Submitted by: sf
Reviewed by: trawick, jorton

Modified:
    apr/apr-util/branches/0.9.x/CHANGES
    apr/apr-util/branches/0.9.x/buckets/apr_brigade.c

Modified: apr/apr-util/branches/0.9.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/CHANGES?rev=1003495&r1=1003494&r2=1003495&view=diff
==============================================================================
--- apr/apr-util/branches/0.9.x/CHANGES [utf-8] (original)
+++ apr/apr-util/branches/0.9.x/CHANGES [utf-8] Fri Oct  1 11:43:50 2010
@@ -1,6 +1,10 @@
                                                      -*- coding: utf-8 -*-
 Changes with APR-util 0.9.18
 
+  *) SECURITY: CVE-2010-1623 (cve.mitre.org)
+     Fix a denial of service attack against apr_brigade_split_line().
+     [Stefan Fritsch]
+
   *) SECURITY: CVE-2009-2412 (cve.mitre.org)
      Fix overflow in rmm, where size alignment was taking place.
      [Matt Lewis <mattlewis@google.com>, Sander Striker]

Modified: apr/apr-util/branches/0.9.x/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/buckets/apr_brigade.c?rev=1003495&r1=1003494&r2=1003495&view=diff
==============================================================================
--- apr/apr-util/branches/0.9.x/buckets/apr_brigade.c (original)
+++ apr/apr-util/branches/0.9.x/buckets/apr_brigade.c Fri Oct  1 11:43:50 2010
@@ -301,7 +301,18 @@ APU_DECLARE(apr_status_t) apr_brigade_sp
             return APR_SUCCESS;
         }
         APR_BUCKET_REMOVE(e);
-        APR_BRIGADE_INSERT_TAIL(bbOut, e);
+        if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) {
+            APR_BRIGADE_INSERT_TAIL(bbOut, e);
+        }
+        else {
+            if (len > 0) {
+                rv = apr_brigade_write(bbOut, NULL, NULL, str, len);
+                if (rv != APR_SUCCESS) {
+                    return rv;
+                }
+            }
+            apr_bucket_destroy(e);
+        }
         readbytes += len;
         /* We didn't find an APR_ASCII_LF within the maximum line length. */
         if (readbytes >= maxbytes) {



Mime
View raw message