www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)

Browse Source 
Fix a potential crash with response headers' size above 8K.

The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules.  mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640036 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2014-11-16 22:04:39 +00:00
parent 31e1a51f0f
commit 54f0797498
3 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
mod_proxy_fcgi, mod_authnz_fcgi: Fix a potential crash with response
headers' size above 8K. [Teguh <chain rop.io>, Yann Ylavic, Jeff Trawick]
*) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since
r1608202. [Eric Covener] r1608202. [Eric Covener]

10
modules/aaa/mod_authnz_fcgi.c
View File

@@ -406,13 +406,12 @@ enum {
* *
* Returns 0 if it can't find the end of the headers, and 1 if it found the * Returns 0 if it can't find the end of the headers, and 1 if it found the
* end of the headers. */ * end of the headers. */
static int handle_headers(request_rec *r, static int handle_headers(request_rec *r, int *state,
int *state, const char *readbuf, apr_size_t readlen)
char *readbuf)
{ {
const char *itr = readbuf; const char *itr = readbuf;
while (*itr) { while (readlen--) {
if (*itr == '\r') { if (*itr == '\r') {
switch (*state) { switch (*state) {
case HDR_STATE_GOT_CRLF: case HDR_STATE_GOT_CRLF:
@@ -555,7 +554,8 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
APR_BRIGADE_INSERT_TAIL(ob, b); APR_BRIGADE_INSERT_TAIL(ob, b);
if (!seen_end_of_headers) { if (!seen_end_of_headers) {
int st = handle_headers(r, &header_state, readbuf); int st = handle_headers(r, &header_state,
readbuf, readbuflen);
if (st == 1) { if (st == 1) {
int status; int status;

10
modules/proxy/mod_proxy_fcgi.c
View File

@@ -310,13 +310,12 @@ enum {
* *
* Returns 0 if it can't find the end of the headers, and 1 if it found the * Returns 0 if it can't find the end of the headers, and 1 if it found the
* end of the headers. */ * end of the headers. */
static int handle_headers(request_rec *r, static int handle_headers(request_rec *r, int *state,
int *state, const char *readbuf, apr_size_t readlen)
char *readbuf)
{ {
const char *itr = readbuf; const char *itr = readbuf;
while (*itr) { while (readlen--) {
if (*itr == '\r') { if (*itr == '\r') {
switch (*state) { switch (*state) {
case HDR_STATE_GOT_CRLF: case HDR_STATE_GOT_CRLF:
@@ -563,7 +562,8 @@ recv_again:
APR_BRIGADE_INSERT_TAIL(ob, b); APR_BRIGADE_INSERT_TAIL(ob, b);
if (! seen_end_of_headers) { if (! seen_end_of_headers) {
int st = handle_headers(r, &header_state, iobuf); int st = handle_headers(r, &header_state,
iobuf, readbuflen);
if (st == 1) { if (st == 1) {
int status; int status;