httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aa...@apache.org
Subject cvs commit: httpd-2.0/modules/http http_protocol.c
Date Wed, 29 May 2002 06:42:59 GMT
aaron       02/05/28 23:42:58

  Modified:    .        CHANGES
               modules/http http_protocol.c
  Log:
  Properly detect overflow when reading the hex chunk lines.
  
  Revision  Changes    Path
  1.796     +3 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.795
  retrieving revision 1.796
  diff -u -r1.795 -r1.796
  --- CHANGES	29 May 2002 03:27:01 -0000	1.795
  +++ CHANGES	29 May 2002 06:42:58 -0000	1.796
  @@ -1,5 +1,8 @@
   Changes with Apache 2.0.37
   
  +  *) Detect overflow when reading the hex bytes forming a chunk line.
  +     [Aaron Bannert]
  +
     *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
        [James Tait <JTait@wyrddreams.demon.co.uk>]
   
  
  
  
  1.424     +9 -3      httpd-2.0/modules/http/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/http/http_protocol.c,v
  retrieving revision 1.423
  retrieving revision 1.424
  diff -u -r1.423 -r1.424
  --- http_protocol.c	28 May 2002 23:55:53 -0000	1.423
  +++ http_protocol.c	29 May 2002 06:42:58 -0000	1.424
  @@ -859,7 +859,7 @@
               apr_brigade_flatten(bb, line, &len);
   
               ctx->remaining = get_chunk_size(line);
  -            /* Detect invalid chunk sizes. */
  +            /* Detect chunksize error (such as overflow) */
               if (ctx->remaining < 0) {
                   apr_brigade_cleanup(bb);
                   e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,
  @@ -908,7 +908,7 @@
                   apr_brigade_flatten(bb, line, &len);
                   ctx->remaining = get_chunk_size(line);
   
  -                /* Detect invalid chunk sizes. */
  +                /* Detect chunksize error (such as overflow) */
                   if (ctx->remaining < 0) {
                       apr_brigade_cleanup(bb);
                       e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE,
  @@ -1690,8 +1690,9 @@
   static long get_chunk_size(char *b)
   {
       long chunksize = 0;
  +    size_t chunkbits = sizeof(long) * 8;
   
  -    while (apr_isxdigit(*b)) {
  +    while (apr_isxdigit(*b) && (chunkbits > 0)) {
           int xvalue = 0;
   
           if (*b >= '0' && *b <= '9') {
  @@ -1705,7 +1706,12 @@
           }
   
           chunksize = (chunksize << 4) | xvalue;
  +        chunkbits -= 4;
           ++b;
  +    }
  +    if (apr_isxdigit(*b) && (chunkbits <= 0)) {
  +        /* overflow */
  +        return -1;
       }
   
       return chunksize;
  
  
  

Mime
View raw message