Return-Path: 
 <cvs-return-51998-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 05C40F8FE
	for <apmail-httpd-cvs-archive@www.apache.org>;
 Fri, 14 Nov 2014 18:18:39 +0000 (UTC)
Received: (qmail 10739 invoked by uid 500); 14 Nov 2014 18:18:38 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 10681 invoked by uid 500); 14 Nov 2014 18:18:38 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 10672 invoked by uid 99); 14 Nov 2014 18:18:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2014 18:18:38 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2014 18:18:37 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 8AC6423888D7;
	Fri, 14 Nov 2014 18:18:15 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1639717 - in /httpd/httpd/trunk: CHANGES
 docs/log-message-tags/next-number modules/aaa/mod_authnz_fcgi.c
Date: Fri, 14 Nov 2014 18:18:15 -0000
To: cvs@httpd.apache.org
From: ylavic@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20141114181815.8AC6423888D7@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: ylavic
Date: Fri Nov 14 18:18:15 2014
New Revision: 1639717

URL: http://svn.apache.org/r1639717
Log:
mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.
(similar to r1638818 for mod_proxy_fcgi).

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/log-message-tags/next-number
    httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1639717&r1=1639716&r2=1639717&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Nov 14 18:18:15 2014
@@ -5,6 +5,9 @@ Changes with Apache 2.5.0
      mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
      [Teguh <chain rop.io>, Yann Ylavic]
 
+  *) mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.
+     [Yann Ylavic]
+
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
      r1608202. [Eric Covener]
  

Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1639717&r1=1639716&r2=1639717&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Fri Nov 14 18:18:15 2014
@@ -1 +1 @@
-2821
+2822

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c?rev=1639717&r1=1639716&r2=1639717&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_fcgi.c Fri Nov 14 18:18:15 2014
@@ -406,13 +406,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -443,13 +442,17 @@ static int handle_headers(request_rec *r
                      break;
             }
         }
-        else {
+        else if (*itr == '\t' || !apr_iscntrl(*itr)) {
             *state = HDR_STATE_READING_HEADERS;
         }
+        else {
+            return -1;
+        }
 
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
+        --readlen;
         ++itr;
     }
 
@@ -555,7 +558,17 @@ static apr_status_t handle_response(cons
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf);
+                    int st = handle_headers(r, &header_state, readbuf,
+                                            readbuflen);
+
+                    if (st == -1) {
+                        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                      APLOGNO(02821) "%s: error reading "
+                                      "headers from %s",
+                                      fn, conf->backend);
+                        rv = APR_EINVAL;
+                        break;
+                    }
 
                     if (st == 1) {
                         int status;
@@ -646,7 +659,7 @@ static apr_status_t handle_response(cons
         /*
          * Read/discard any trailing padding.
          */
-        if (plen) {
+        if (rv == APR_SUCCESS && plen) {
             rv = recv_data_full(conf, r, s, readbuf, plen);
             if (rv != APR_SUCCESS) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,