Return-Path: <dev-return-89717-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4E4A1200CAE
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 21 Jun 2017 19:09:41 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 4C7F9160BD5; Wed, 21 Jun 2017 17:09:41 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 9118C160BD0
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 21 Jun 2017 19:09:40 +0200 (CEST)
Received: (qmail 54971 invoked by uid 500); 21 Jun 2017 17:09:39 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 54961 invoked by uid 99); 21 Jun 2017 17:09:39 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Jun 2017 17:09:39 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 450E2CEC59
	for <dev@httpd.apache.org>; Wed, 21 Jun 2017 17:09:39 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1.101
X-Spam-Level: 
X-Spam-Status: No, score=-1.101 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id 82Qs-AWN78wW for <dev@httpd.apache.org>;
	Wed, 21 Jun 2017 17:09:38 +0000 (UTC)
Received: from mail-pf0-f196.google.com (mail-pf0-f196.google.com [209.85.192.196])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 880E15FE1E
	for <dev@httpd.apache.org>; Wed, 21 Jun 2017 17:09:37 +0000 (UTC)
Received: by mail-pf0-f196.google.com with SMTP id s66so31858580pfs.2
        for <dev@httpd.apache.org>; Wed, 21 Jun 2017 10:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=UVvoWMM3EKWRsMG96tsSQQvzMLFZ29myrWK5wI2Pabs=;
        b=g+ouMLWfyrsis0UkXtwup4W5wfi9M/lftojbczMBshChHVJqQVHus3ECOq7l04S6PM
         iRVUS8ipVcBAiLX637LhjoYoBIHK0IEOdwQLT4tga7oNQLUDkhpfNpaEb4/JhqqduyI4
         aIZtUXw+yI8Mvdz4baBCKqRV4hWKbF/ywgJX0jFcWaTe+mqk/eFCC9nPEi/0Tox/IcSL
         zNU5OuUSGndAHBbTmQh4vKqo0uqIUYJkZ+h8u1SaeNX//LXSRRLe5eFxGrJS2iezZc4U
         ro7ORD4g2ZylYrYUgpPbotvSc8t8yJo90CWSNkR/GMxet2Y1aKmzptY3IAJ6DzvyJUJI
         n27w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=UVvoWMM3EKWRsMG96tsSQQvzMLFZ29myrWK5wI2Pabs=;
        b=PkJre1Iu7lrjVceJryj93c8IBfXP+mdEYULRi1ab3MeNzNC8v/OfC1wlczrvZvV1oV
         0fUT3u9gBKCAnEFRpZAwPyuobMYfb31LQDR8ch8+M8rbSVq3s42XrEiXjWq11Gh9AyAs
         tLBaiTsJ6iGb02EQPeBjPt47d72/o9Ui8zrY+xAIUCl+qRVviL5V0i3/zwGPYgPbWy0X
         wA+UraIRCGZHIjsnYS47Qjj3s2dSHgk9es5QenrlVHUi+7Zu4Qyt2qOH2DSUi7PnPw8E
         OpH2F5uf7fg4LW8zCdbVYXRkCLMcoNFU3fJ3zjKCYkDou3E9E0xz3jGfRbEXJLiAZZgT
         55rQ==
X-Gm-Message-State: AKS2vOxcL8npca+lVJSi4t5iWqSf1Z+5LVmHH+UPNx3Zp3nrDoOkSDqT
	HvdbMGTjMY+9KMFYnPE=
X-Received: by 10.99.146.88 with SMTP id s24mr36235554pgn.85.1498064975775;
        Wed, 21 Jun 2017 10:09:35 -0700 (PDT)
Received: from [192.168.1.2] (50-39-112-180.bvtn.or.frontiernet.net. [50.39.112.180])
        by smtp.gmail.com with ESMTPSA id 5sm31340114pfe.60.2017.06.21.10.09.35
        for <dev@httpd.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 21 Jun 2017 10:09:35 -0700 (PDT)
Subject: Re: svn commit: r1799375 - /httpd/httpd/trunk/server/util.c
To: dev@httpd.apache.org
References: <20170620230820.92CF93A25B1@svn01-us-west.apache.org>
 <CACsi252iUnj4K_CBzDcLhTP2tWO4T1-9LxjesNMKFrqk6_=TEw@mail.gmail.com>
From: Jacob Champion <champion.p@gmail.com>
Message-ID: <40f8643c-e5b7-0e88-4e62-f6bb49ff5841@gmail.com>
Date: Wed, 21 Jun 2017 10:09:34 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CACsi252iUnj4K_CBzDcLhTP2tWO4T1-9LxjesNMKFrqk6_=TEw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
archived-at: Wed, 21 Jun 2017 17:09:41 -0000

Reverted while the veto is in effect.

On 06/20/2017 11:08 PM, William A Rowe Jr wrote:
> Sorry but I reraise my objection and veto worthless cpu cycles.

Yep, but it's public now, which was my goal.

Background for the uninitiated: CVE-2017-7668 is a buffer overrun caused 
by Bill's patch in the Strict-HTTP backport, which inverted 
test_char_table's classification of the NULL character from "is an HTTP 
token stop" to "is NOT an HTTP token stop". A loop that relied on the 
previous behavior to stop at the end of strings was broken, causing a 
vulnerability.

My patch introduces redundant checks to ensure that even if NULL's 
classification changes in the future, all loops using test_char_table 
are provably correct without code changes, since we've already screwed 
this up once.

(Please understand that my goal here is not to point fingers at you, 
Bill, for the bug. I'm very thankful that you spent as much time as you 
did on the HTTP-strict backport. My goal is to scrutinize how we follow 
up on our mistakes after they're made, to try to make sure they don't 
happen again, and to figure out why a logically correct patch is being 
*vetoed* by you.)

> The correct fix to your concern is to document all expected behavior of 
> the null but in gen_test_char.c - and in such tests a /* !c && */ 
> notation is fine.

That's a personal judgment call, and it deserves the opinion of others 
on the list. You've used a veto to ensure that my preferred solution 
can't even reach trunk and get votes for backport. That is my major 
concern here.

If my patch goes to trunk and gets votes despite your concerns, it seems 
like that should be good enough. If it can't, and your preferred patch 
does get votes, great! At least it was all done fairly.

> Due to the way we assemble the code, I'm not convinced it that any 
> compiler can optimize away these infrequent cases.

I was under the impression that it was on you, as the one exercising the 
veto, to prove your case technically.

But that's really neither here nor there, because in the end, I'm 
comfortable trading a handful of nanoseconds for provable correctness 
and improved auditability. And I think others should be able to express 
their opinion on the matter *without* the shadow of a veto over the 
alternative that you dislike. Why would anyone else here spend time 
arguing for a patch that's already procedurally DOA?

> But there were only two questionable values for \0, and in this case the 
> answer is obvious. Invert the rule to a TOKEN char from the rather 
> dubious TOKEN_STOP definition. Solved.

Patches welcome.

--Jacob