httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r590277 - in /httpd/httpd/branches/1.3.x/src: CHANGES modules/proxy/proxy_util.c
Date Tue, 30 Oct 2007 19:17:03 GMT
Author: trawick
Date: Tue Oct 30 12:17:03 2007
New Revision: 590277

URL: http://svn.apache.org/viewvc?rev=590277&view=rev
Log:
SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers.  PR 41144.

Reviewed by: Eric, JimJag

Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=590277&r1=590276&r2=590277&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Tue Oct 30 12:17:03 2007
@@ -1,5 +1,12 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+     mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     With Apache 1.3, the denial of service vulnerability applies only 
+     to the Windows and NetWare platforms.
+     [Jeff Trawick]
+
   *) More efficient implementation of the CVE-2007-3304 PID table
      patch. This fixes issues with excessive memory usage by the
      parent process if long-running and with a high number of child

Modified: httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c?rev=590277&r1=590276&r2=590277&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c Tue Oct 30 12:17:03 2007
@@ -282,7 +282,8 @@
         *q = ',';
         if (wk == 7)
             return x;           /* not a valid date */
-        if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
+        if (strlen(q) != 24 ||
+            q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
             q[17] != ':' || strcmp(&q[20], " GMT") != 0)
             return x;
         if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
@@ -294,8 +295,9 @@
             year += 1900;
     }
     else {
-/* check for acstime() date */
-        if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
+/* check for asctime() date */
+        if (strlen(x) != 24 ||
+            x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
             x[16] != ':' || x[19] != ' ' || x[24] != '\0')
             return x;
         if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,



Mime
View raw message