httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject cvs commit: apache-1.3/src/modules/proxy proxy_http.c
Date Fri, 11 Jun 2004 07:54:38 GMT
mjc         2004/06/11 00:54:38

  Modified:    src      CHANGES
               src/modules/proxy proxy_http.c
  Log:
  Receiving a negative content length from a remote server can cause
  a buffer overflow in later code; reject connection if we receive an invalid
  header.  CAN-2004-0492
  Submitted by: Mark Cox
  Reviewed by: Joe Orton, Bill Stoddard, Jim Jagielski
  
  Revision  Changes    Path
  1.1943    +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1942
  retrieving revision 1.1943
  diff -u -r1.1942 -r1.1943
  --- CHANGES	2 Jun 2004 22:49:03 -0000	1.1942
  +++ CHANGES	11 Jun 2004 07:54:38 -0000	1.1943
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3.32
   
  +  *) SECURITY: CAN-2004-0492 (cve.mitre.org)
  +     Reject responses from a remote server if sent an invalid (negative) 
  +     Content-Length.  [Mark Cox]
  +
     *) Fix a bunch of cases where the return code of the regex compiler
        was not checked properly. This affects mod_usertrack and
        core. PR 28218.  [André Malo]
  
  
  
  1.107     +7 -0      apache-1.3/src/modules/proxy/proxy_http.c
  
  Index: proxy_http.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
  retrieving revision 1.106
  retrieving revision 1.107
  diff -u -r1.106 -r1.107
  --- proxy_http.c	29 Mar 2004 17:47:15 -0000	1.106
  +++ proxy_http.c	11 Jun 2004 07:54:38 -0000	1.107
  @@ -485,6 +485,13 @@
           content_length = ap_table_get(resp_hdrs, "Content-Length");
           if (content_length != NULL) {
               c->len = ap_strtol(content_length, NULL, 10);
  +
  +	    if (c->len < 0) {
  +		ap_kill_timeout(r);
  +		return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
  +				     "Invalid Content-Length from remote server",
  +                                      NULL));
  +	    }
           }
   
       }
  
  
  

Mime
View raw message