httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yla...@apache.org
Subject svn commit: r1638818 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_fcgi.c
Date Wed, 12 Nov 2014 15:41:07 GMT
Author: ylavic
Date: Wed Nov 12 15:41:07 2014
New Revision: 1638818

URL: http://svn.apache.org/r1638818
Log:
mod_proxy_fcgi: CVE-2014-3583: Fix a potential crash with response headers'
size above 8K.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1638818&r1=1638817&r2=1638818&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Nov 12 15:41:07 2014
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
   
+  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+     mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
+     [Teguh <chain rop.io>, Yann Ylavic]
+
   *) event: Resolve potential crashes under load after r1604350. [Eric Covener]
 
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?rev=1638818&r1=1638817&r2=1638818&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c Wed Nov 12 15:41:07 2014
@@ -18,6 +18,8 @@
 #include "util_fcgi.h"
 #include "util_script.h"
 
+#include "apr_lib.h" /* for apr_iscntrl() */
+
 module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
 
 /*
@@ -310,13 +312,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -347,13 +348,17 @@ static int handle_headers(request_rec *r
                      break;
             }
         }
-        else {
+        else if (*itr == '\t' || !apr_iscntrl(*itr)) {
             *state = HDR_STATE_READING_HEADERS;
         }
+        else {
+            return -1;
+        }
 
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
+        --readlen;
         ++itr;
     }
 
@@ -563,7 +568,14 @@ recv_again:
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state, iobuf,
+                                                readbuflen);
+
+                        if (st == -1) {
+                            *err = "parsing response headers";
+                            rv = APR_EINVAL;
+                            break;
+                        }
 
                         if (st == 1) {
                             int status;
@@ -684,6 +696,11 @@ recv_again:
                 break;
             }
 
+            if (*err) {
+                /* stop on error in the above switch */
+                break;
+            }
+
             if (plen) {
                 rv = get_data_full(conn, iobuf, plen);
                 if (rv != APR_SUCCESS) {



Mime
View raw message