httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/core_filters.c
Date Mon, 06 Jul 2009 12:03:20 GMT
Author: trawick
Date: Mon Jul  6 12:03:20 2009
New Revision: 791454

URL: http://svn.apache.org/viewvc?rev=791454&view=rev
Log:
SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other 
modules, by forcing the server to consume CPU time in compressing a 
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

Submitted by: jorton, rpluem
Reviewed by:  jim, trawick


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/server/core_filters.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=791454&r1=791453&r2=791454&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Jul  6 12:03:20 2009
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.12
 
+  *) SECURITY: CVE-2009-1891 (cve.mitre.org)
+     Fix a potential Denial-of-Service attack against mod_deflate or other 
+     modules, by forcing the server to consume CPU time in compressing a 
+     large file after a client disconnects.  [Joe Orton, Ruediger Pluem]
+
   *) SECURITY: CVE-2009-1195 (cve.mitre.org)
      Prevent the "Includes" Option from being enabled in an .htaccess 
      file if the AllowOverride restrictions do not permit it.

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=791454&r1=791453&r2=791454&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Jul  6 12:03:20 2009
@@ -85,27 +85,6 @@
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * SECURITY: CVE-2009-1891 (cve.mitre.org)
-   Fix a potential Denial-of-Service attack against mod_deflate or
-   other modules, by forcing the server to consume CPU time in
-   compressing a large file after a client disconnects.
-   2.2.x patches:
-     http://people.apache.org/~jorton/CVE-2009-1891.1.diff
-     http://people.apache.org/~jorton/CVE-2009-1891.2.diff
-   Trunk version of patch:
-     #1 folded in during core output filter refactoring
-     #2 http://svn.apache.org/viewvc?view=rev&revision=521681
-   +1: jorton, jim, rpluem
-   rpluem asks: Are we sure that b is never NULL?
-   Otherwise we would need to add
-   http://svn.apache.org/viewvc?view=rev&revision=568202
-   as on trunk to avoid segfaults.
-   trawick responds: if b were NULL, we would have segfaulted earlier
-     when ap_pass_brigade "calls" APR_BRIGADE_LAST(bb)
-   rpluem: Ahh good point. Meanwhile I had a look at trunk and the
-   event MPM is calling the core output filter directly without
-   ap_pass_brigade. So I am +1.
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.2.x/server/core_filters.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?rev=791454&r1=791453&r2=791454&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/core_filters.c (original)
+++ httpd/httpd/branches/2.2.x/server/core_filters.c Mon Jul  6 12:03:20 2009
@@ -542,6 +542,12 @@
     apr_read_type_e eblock = APR_NONBLOCK_READ;
     apr_pool_t *input_pool = b->p;
 
+    /* Fail quickly if the connection has already been aborted. */
+    if (c->aborted) {
+        apr_brigade_cleanup(b);
+        return APR_ECONNABORTED;
+    }
+
     if (ctx == NULL) {
         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
         net->out_ctx = ctx;
@@ -909,12 +915,9 @@
             /* No need to check for SUCCESS, we did that above. */
             if (!APR_STATUS_IS_EAGAIN(rv)) {
                 c->aborted = 1;
+                return APR_ECONNABORTED;
             }
 
-            /* The client has aborted, but the request was successful. We
-             * will report success, and leave it to the access and error
-             * logs to note that the connection was aborted.
-             */
             return APR_SUCCESS;
         }
 



Mime
View raw message