httpd-cvs mailing list archives

Author: trawick
Date: Thu May 13 16:06:25 2010
New Revision: 943925

URL: http://svn.apache.org/viewvc?rev=943925&view=rev
Log:
merge r814844 from 2.2.x branch (trunk revs 814652 and 814785):

  *) SECURITY: CVE-2009-3094 (cve.mitre.org)
     mod_proxy_ftp: NULL pointer dereference on error paths.
     [Stefan Fritsch <sf fritsch.de>, Joe Orton]

Reviewed by: pgollucci, poirier, trawick

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=943925&r1=943924&r2=943925&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu May 13 16:06:25 2010
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2009-3094 (cve.mitre.org)
+     mod_proxy_ftp: NULL pointer dereference on error paths.
+     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
      mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
      for OpenSSL versions prior to 0.9.8l; reject any client-initiated

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=943925&r1=943924&r2=943925&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu May 13 16:06:25 2010
@@ -141,13 +141,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     +1: pgollucci, poirier, rjung
       PG: whomever proposed this should vote for it
 
-  * mod_proxy_ftp, CVE-2009-3094, NULL pointer dereference on error paths
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?view=revision&revision=814844
-    Backport:
-      http://people.apache.org/~trawick/CVE-2009-3094-2.0.txt
-    +1: pgollucci, poirier, trawick
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new

Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c?rev=943925&r1=943924&r2=943925&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c (original)
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_ftp.c Thu May 13 16:06:25 2010
@@ -588,6 +588,31 @@ apr_status_t ap_proxy_send_dir_filter(ap
     return APR_SUCCESS;
 }
 
+/* Parse EPSV reply and return port, or zero on error. */
+static apr_port_t parse_epsv_reply(const char *reply)
+{
+    const char *p;
+    char *ep;
+    long port;
+
+    /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
+     * can be any character in ASCII from 33-126, obscurely.  Verify
+     * the syntax. */
+    p = ap_strchr_c(reply, '(');
+    if (p == NULL || !p[1] || p[1] != p[2] || p[1] != p[3]
+        || p[4] == p[1]) {
+        return 0;
+    }
+
+    errno = 0;
+    port = strtol(p + 4, &ep, 10);
+    if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
+        return 0;
+    }
+
+    return (apr_port_t)port;
+}
+
 /*
  * Generic "send FTP command to server" routine, using the control socket.
  * Returns the FTP returncode (3 digit code)
@@ -1232,26 +1257,11 @@ int ap_proxy_ftp_handler(request_rec *r,
             return ap_proxyerror(r, HTTP_BAD_GATEWAY, ftpmessage);
         }
         else if (rc == 229) {
-            char *pstr;
-            char *tok_cntx;
-
-            pstr = ftpmessage;
-            pstr = apr_strtok(pstr, " ", &tok_cntx);    /* separate result code */
-            if (pstr != NULL) {
-                if (*(pstr + strlen(pstr) + 1) == '=') {
-                    pstr += strlen(pstr) + 2;
-                }
-                else {
-                    pstr = apr_strtok(NULL, "(", &tok_cntx);    /* separate address &
-                                                                 * port params */
-                    if (pstr != NULL)
-                        pstr = apr_strtok(NULL, ")", &tok_cntx);
-                }
-            }
+            /* Parse the port out of the EPSV reply. */
+            data_port = parse_epsv_reply(ftpmessage);
 
-            if (pstr) {
+            if (data_port) {
                 apr_sockaddr_t *epsv_addr;
-                data_port = atoi(pstr + 3);
 
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                        "proxy: FTP: EPSV contacting remote host on port %d",
@@ -1287,10 +1297,6 @@ int ap_proxy_ftp_handler(request_rec *r,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }
 
@@ -1372,10 +1378,6 @@ int ap_proxy_ftp_handler(request_rec *r,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }
 /*bypass:*/
@@ -1840,7 +1842,9 @@ int ap_proxy_ftp_handler(request_rec *r,
                  * for a slow client to eat these bytes
                  */
                 ap_flush_conn(data);
-                apr_socket_close(data_sock);
+                if (data_sock) {
+                    apr_socket_close(data_sock);
+                }
                 data_sock = NULL;
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                              "proxy: FTP: data connection closed");