httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rüdiger Plüm <ruediger.pl...@vodafone.com>
Subject Re: CVE-2011-3607, int overflow ap_pregsub()
Date Thu, 22 Dec 2011 07:25:13 GMT


Am 21.12.2011 20:08, schrieb Greg Ames:
> On Tue, Dec 20, 2011 at 4:26 AM, William A. Rowe Jr.
> <wrowe@rowe-clan.net>  wrote:
>> We should come to a conclusion on this.
>
> How about this for 2.2.x ?
>
> --- server/util.c	(revision 1179624)
> +++ server/util.c	(working copy)
> @@ -82,6 +82,8 @@
>   #define IS_SLASH(s) (s == '/')
>   #endif
>
> +/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
> +#define UTIL_SIZE_MAX (~((apr_size_t)0))
>
>   /*
>    * Examine a field value (such as a media-/content-type) string and return
> @@ -391,6 +393,11 @@
>               len++;
>           }
>           else if (no<  nmatch&&  pmatch[no].rm_so<  pmatch[no].rm_eo)
{
> +            if (UTIL_SIZE_MAX - len<= pmatch[no].rm_eo - pmatch[no].rm_so) {
> +                ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
> +                    "integer overflow or out of memory condition." );
> +                return NULL;
> +            }
>               len += pmatch[no].rm_eo - pmatch[no].rm_so;
>           }
>
> Is apr 1.3 required for current 2.2.x?  I know it wasn't for older

IMHO APR 1.3 is mandatory for 2.2.x.

Regards

Rüdiger


Mime
View raw message