httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject cvs commit: httpd-2.0/server protocol.c
Date Mon, 28 Jun 2004 23:57:14 GMT
trawick     2004/06/28 16:57:14

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES
               server   Tag: APACHE_2_0_BRANCH protocol.c
  Log:
  CAN-2004-0493 - memory exhaustion denial of service
  
  Reviewed by:	jerenkrantz
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.306 +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.305
  retrieving revision 1.988.2.306
  diff -u -r1.988.2.305 -r1.988.2.306
  --- CHANGES	16 Jun 2004 08:39:59 -0000	1.988.2.305
  +++ CHANGES	28 Jun 2004 23:57:13 -0000	1.988.2.306
  @@ -1,5 +1,10 @@
   Changes with Apache 2.0.50
   
  +  *) SECURITY: CAN-2004-0493 (cve.mitre.org)
  +     Close a denial of service vulnerability identified by Georgi
  +     Guninski which could lead to memory exhaustion with certain
  +     input data.  [Jeff Trawick]
  +
     *) mod_cgi: Handle output on stderr during script execution on Unix
        platforms; preventing deadlock when stderr output fills pipe buffer.
        Also fixes case where stderr from nph- scripts could be lost.
  
  
  
  No                   revision
  No                   revision
  1.121.2.19 +17 -0     httpd-2.0/server/protocol.c
  
  Index: protocol.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/protocol.c,v
  retrieving revision 1.121.2.18
  retrieving revision 1.121.2.19
  diff -u -r1.121.2.18 -r1.121.2.19
  --- protocol.c	11 Jun 2004 20:46:41 -0000	1.121.2.18
  +++ protocol.c	28 Jun 2004 23:57:14 -0000	1.121.2.19
  @@ -719,6 +719,23 @@
                    * continuations that span many many lines.
                    */
                   apr_size_t fold_len = last_len + len + 1; /* trailing null */
  +
  +                if ((fold_len - 1) > r->server->limit_req_fieldsize) {
  +                    r->status = HTTP_BAD_REQUEST;
  +                    /* report what we have accumulated so far before the
  +                     * overflow (last_field) as the field with the problem
  +                     */
  +                    apr_table_setn(r->notes, "error-notes",
  +                                   apr_pstrcat(r->pool,
  +                                               "Size of a request header field " 
  +                                               "after folding "
  +                                               "exceeds server limit.<br />\n"
  +                                               "<pre>\n",
  +                                               ap_escape_html(r->pool, last_field),
  +                                               "</pre>\n", NULL));
  +                    return;
  +                }
  +
                   if (fold_len > alloc_len) {
                       char *fold_buf;
                       alloc_len += alloc_len;
  
  
  

Mime
View raw message