httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject cvs commit: httpd-2.0/server protocol.c
Date Mon, 28 Jun 2004 23:53:52 GMT
trawick     2004/06/28 16:53:52

  Modified:    .        CHANGES
               server   protocol.c
  Log:
  CAN-2004-0493 - memory exhaustion denial of service
  
  Reviewed by:	jerenkrantz
  
  Revision  Changes    Path
  1.1521    +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1520
  retrieving revision 1.1521
  diff -u -r1.1520 -r1.1521
  --- CHANGES	23 Jun 2004 12:32:21 -0000	1.1520
  +++ CHANGES	28 Jun 2004 23:53:52 -0000	1.1521
  @@ -388,6 +388,11 @@
   
   Changes with Apache 2.0.50
   
  +  *) SECURITY: CAN-2004-0493 (cve.mitre.org)
  +     Close a denial of service vulnerability identified by Georgi
  +     Guninski which could lead to memory exhaustion with certain
  +     input data.  [Jeff Trawick]
  +
     *) mod_alias now emits a warning if it detects overlapping *Alias*
        directives.  [André Malo]
   
  
  
  
  1.149     +17 -0     httpd-2.0/server/protocol.c
  
  Index: protocol.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/protocol.c,v
  retrieving revision 1.148
  retrieving revision 1.149
  diff -u -r1.148 -r1.149
  --- protocol.c	22 Apr 2004 22:38:03 -0000	1.148
  +++ protocol.c	28 Jun 2004 23:53:52 -0000	1.149
  @@ -716,6 +716,23 @@
                    * continuations that span many many lines.
                    */
                   apr_size_t fold_len = last_len + len + 1; /* trailing null */
  +
  +                if ((fold_len - 1) > r->server->limit_req_fieldsize) {
  +                    r->status = HTTP_BAD_REQUEST;
  +                    /* report what we have accumulated so far before the
  +                     * overflow (last_field) as the field with the problem
  +                     */
  +                    apr_table_setn(r->notes, "error-notes",
  +                                   apr_pstrcat(r->pool,
  +                                               "Size of a request header field " 
  +                                               "after folding "
  +                                               "exceeds server limit.<br />\n"
  +                                               "<pre>\n",
  +                                               ap_escape_html(r->pool, last_field),
  +                                               "</pre>\n", NULL));
  +                    return;
  +                }
  +
                   if (fold_len > alloc_len) {
                       char *fold_buf;
                       alloc_len += alloc_len;
  
  
  

Mime
View raw message