httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <ames.g...@gmail.com>
Subject Re: CVE-2011-3607, int overflow ap_pregsub()
Date Wed, 21 Dec 2011 19:08:12 GMT
On Tue, Dec 20, 2011 at 4:26 AM, William A. Rowe Jr.
<wrowe@rowe-clan.net> wrote:
> We should come to a conclusion on this.

How about this for 2.2.x ?

--- server/util.c	(revision 1179624)
+++ server/util.c	(working copy)
@@ -82,6 +82,8 @@
 #define IS_SLASH(s) (s == '/')
 #endif

+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))

 /*
  * Examine a field value (such as a media-/content-type) string and return
@@ -391,6 +393,11 @@
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+                    "integer overflow or out of memory condition." );
+                return NULL;
+            }
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }

Is apr 1.3 required for current 2.2.x?  I know it wasn't for older
2.2.x releases, and I hope we don't change apr levels in the middle of
an httpd version.  Therefore I created the local #define
UTIL_SIZE_MAX.  Do we document the apr minimum prereqs anywhere?

full discloser: my make using apr 1.2 choked trying to compile
byterange_filter because apr_array_clear wasn't defined.  It is in apr
1.3.  However httpd's configure.in appears to be happy with any apr
1.x release.

Greg

Mime
View raw message