httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r383339 - in /httpd/httpd/trunk: CHANGES modules/proxy/ajp_header.c
Date Sun, 05 Mar 2006 15:22:20 GMT
Author: rpluem
Date: Sun Mar  5 07:22:18 2006
New Revision: 383339

URL: http://svn.apache.org/viewcvs?rev=383339&view=rev
Log:
* Crosscheck the length of the body chunk with the length of the ajp message
  to prevent readings beyond the buffer boundaries which possibly could reveal
  sensitive memory contents to the client.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/proxy/ajp_header.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=383339&r1=383338&r2=383339&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Mar  5 07:22:18 2006
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
+     the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
+     boundaries and thus revealing possibly sensitive memory contents to the
+     client. [Ruediger Pluem]
+
   *) mod_proxy_http: Do send keep-alive header if the client sent
      connection: keep-alive and do not close backend connection if the client
      sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton]

Modified: httpd/httpd/trunk/modules/proxy/ajp_header.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/proxy/ajp_header.c?rev=383339&r1=383338&r2=383339&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/ajp_header.c (original)
+++ httpd/httpd/trunk/modules/proxy/ajp_header.c Sun Mar  5 07:22:18 2006
@@ -683,6 +683,7 @@
 {
     apr_byte_t result;
     apr_status_t rc;
+    apr_uint16_t expected_len;
 
     rc = ajp_msg_get_uint8(msg, &result);
     if (rc != APR_SUCCESS) {
@@ -698,6 +699,23 @@
     rc = ajp_msg_get_uint16(msg, len);
     if (rc != APR_SUCCESS) {
         return rc;
+    }
+    /*
+     * msg->len contains the complete length of the message including all
+     * headers. So the expected length for a CMD_AJP13_SEND_BODY_CHUNK is
+     * msg->len minus the sum of
+     * AJP_HEADER_LEN    : The length of the header to every AJP message.
+     * AJP_HEADER_SZ_LEN : The header giving the size of the chunk.
+     * 1                 : The CMD_AJP13_SEND_BODY_CHUNK indicator byte (0x03).
+     * 1                 : The last byte of this message always seems to be
+     *                     0x00 and is not part of the chunk.
+     */
+    expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+    if (*len != expected_len) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+               "ajp_parse_data: Wrong chunk length. Length of chunk is %i,"
+               " expected length is %i.", *len, expected_len);
+        return AJP_EBAD_HEADER;
     }
     *ptr = (char *)&(msg->buf[msg->pos]);
     return APR_SUCCESS;



Mime
View raw message