SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,

which could lead to a heap buffer overflow. Thanks to Marek Kroemeke working with HP's Zero Day Initiative for reporting this. * include/scoreboard.h: Add ap_copy_scoreboard_worker. * server/scoreboard.c (ap_copy_scoreboard_worker): New function. * modules/generators/mod_status.c (status_handler): Use it. * modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise. Reviewed by: trawick, jorton, covener, jim Submitted by: jorton, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610491 13f79535-47bb-0310-9956-ffa450edef68
2025-08-04 05:42:12 +03:00 · 2014-07-14 19:26:00 +00:00
parent 5b6b58bbf2
commit b2605d20c4
5 changed files with 47 additions and 8 deletions
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -1242,16 +1242,22 @@ static int lua_ap_scoreboard_process(lua_State *L)
 */
 static int lua_ap_scoreboard_worker(lua_State *L)
 {
-    int i,
-        j;
-    worker_score   *ws_record;
+    int i, j;
+    worker_score *ws_record = NULL;
+    request_rec *r = NULL;

    luaL_checktype(L, 1, LUA_TUSERDATA);
    luaL_checktype(L, 2, LUA_TNUMBER);
    luaL_checktype(L, 3, LUA_TNUMBER);
+
+    r = ap_lua_check_request_rec(L, 1);
+    if (!r) return 0;
+
    i = lua_tointeger(L, 2);
    j = lua_tointeger(L, 3);
-    ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
+    ws_record = apr_palloc(r->pool, sizeof *ws_record);
+
+    ap_copy_scoreboard_worker(ws_record, i, j);
    if (ws_record) {
        lua_newtable(L);