httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject svn commit: r896842 - in /httpd/httpd/branches/1.3.x/src: CHANGES main/buff.c modules/proxy/proxy_util.c
Date Thu, 07 Jan 2010 10:28:41 GMT
Author: colm
Date: Thu Jan  7 10:28:00 2010
New Revision: 896842

URL: http://svn.apache.org/viewvc?rev=896842&view=rev
Log:
Commit fix for CVE-2010-0010, an integer overflow on platforms where
sizeof(int) < sizeof(long) due to inappapriate casting;

    * Change "MIN( (int) a, (int) b)" to "(int) MIN(a, b)". As 'a' is the buffer
      size, it will be smaller than any long which overflows an int. 

    * More generally - change ap_bread and ap_bwrite to defend against a negative
      length argument in general. Return -1 if one is passed.


Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/main/buff.c
    httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=896842&r1=896841&r2=896842&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Thu Jan  7 10:28:00 2010
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.42
 
+  *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+     mod_proxy: Prevent chunk-size integer overflow on platforms 
+     where sizeof(int) < sizeof(long). Reported by Adam Zabrocki. 
+     [Colm MacCárthaigh]
+ 
   *) IMPORTANT: This is the final release of Apache httpd 1.3.
      Apache httpd 1.3 has reached end of life, as of January 2010.
      No further releases of this software will be made, although critical

Modified: httpd/httpd/branches/1.3.x/src/main/buff.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/main/buff.c?rev=896842&r1=896841&r2=896842&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/main/buff.c (original)
+++ httpd/httpd/branches/1.3.x/src/main/buff.c Thu Jan  7 10:28:00 2010
@@ -737,7 +737,7 @@
 {
     int i, nrd;
 
-    if (fb->flags & B_RDERR)
+    if (fb->flags & B_RDERR || nbyte < 0)
 	return -1;
     if (nbyte == 0)
 	return 0;
@@ -1258,7 +1258,7 @@
     static int csize = 0;
 #endif /*CHARSET_EBCDIC*/
 
-    if (fb->flags & (B_WRERR | B_EOUT))
+    if (fb->flags & (B_WRERR | B_EOUT) || nbyte < 0)
 	return -1;
     if (nbyte == 0)
 	return 0;

Modified: httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c?rev=896842&r1=896841&r2=896842&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_util.c Thu Jan  7 10:28:00 2010
@@ -507,7 +507,7 @@
 
             /* read the chunk */
             if (remaining > 0) {
-                n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining));
+                n = ap_bread(f, buf, (int) MIN(buf_size, remaining));
                 if (n > -1) {
                     remaining -= n;
                     end_of_chunk = (remaining == 0);
@@ -548,8 +548,8 @@
                 n = ap_bread(f, buf, buf_size);
             }
             else {
-                n = ap_bread(f, buf, MIN((int)buf_size,
-                                         (int)(len - total_bytes_rcvd)));
+                n = ap_bread(f, buf, (int) MIN(buf_size,
+                                               (len - total_bytes_rcvd)));
             }
         }
 



Mime
View raw message