mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)

Fix a potential crash with response headers' size above 8K. The code changes to mod_authnz_fcgi keep the handle_headers() function in sync between the two modules. mod_authnz_fcgi does not have this issue because it allocated a separate byte for terminating '\0'. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640036 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2014-11-16 22:04:39 +00:00
parent 31e1a51f0f
commit 54f0797498
3 changed files with 14 additions and 10 deletions
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -310,13 +310,12 @@ enum {
 *
 * Returns 0 if it can't find the end of the headers, and 1 if it found the
 * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
    const char *itr = readbuf;

-    while (*itr) {
+    while (readlen--) {
        if (*itr == '\r') {
            switch (*state) {
                case HDR_STATE_GOT_CRLF:
@@ -563,7 +562,8 @@ recv_again:
                    APR_BRIGADE_INSERT_TAIL(ob, b);

                    if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state,
+                                                iobuf, readbuflen);

                        if (st == 1) {
                            int status;