mod_proxy_fcgi: CVE-2014-3583: Fix a potential crash with response headers'

author Yann Ylavic <ylavic@apache.org>

Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)

committer Yann Ylavic <ylavic@apache.org>

Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)
author Yann Ylavic <ylavic@apache.org>
Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)
committer Yann Ylavic <ylavic@apache.org>
Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)
diff --git a/CHANGES b/CHANGES

index 5aafa7de3020848cfc51429738c0efcc6b9b4f34..c33226fa6dd4fe43155cb342ac0a71c4308755f4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
    
+  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+     mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
+     [Teguh <chain rop.io>, Yann Ylavic]
+
    *) event: Resolve potential crashes under load after r1604350. [Eric Covener]
  
    *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c

index ab1118238bf09628871d30c2564725703100a528..fb71b5074b955d56306bccd5868c98fcd6159427 100644 (file)
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -18,6 +18,8 @@
  #include "util_fcgi.h"
  #include "util_script.h"
  
+#include "apr_lib.h" /* for apr_iscntrl() */
+
  module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
  
  /*
@@ -310,13 +312,12 @@ enum {
   *
   * Returns 0 if it can't find the end of the headers, and 1 if it found the
   * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
  {
      const char *itr = readbuf;
  
-    while (*itr) {
+    while (readlen) {
          if (*itr == '\r') {
              switch (*state) {
                  case HDR_STATE_GOT_CRLF:
@@ -347,13 +348,17 @@ static int handle_headers(request_rec *r,
                       break;
              }
          }
-        else {
+        else if (*itr == '\t' || !apr_iscntrl(*itr)) {
              *state = HDR_STATE_READING_HEADERS;
          }
+        else {
+            return -1;
+        }
  
          if (*state == HDR_STATE_DONE_WITH_HEADERS)
              break;
  
+        --readlen;
          ++itr;
      }
  
@@ -563,7 +568,14 @@ recv_again:
                      APR_BRIGADE_INSERT_TAIL(ob, b);
  
                      if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state, iobuf,
+                                                readbuflen);
+
+                        if (st == -1) {
+                            *err = "parsing response headers";
+                            rv = APR_EINVAL;
+                            break;
+                        }
  
                          if (st == 1) {
                              int status;
@@ -684,6 +696,11 @@ recv_again:
                  break;
              }
  
+            if (*err) {
+                /* stop on error in the above switch */
+                break;
+            }
+
              if (plen) {
                  rv = get_data_full(conn, iobuf, plen);
                  if (rv != APR_SUCCESS) {
author	Yann Ylavic <ylavic@apache.org>
	Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Wed, 12 Nov 2014 15:41:07 +0000 (15:41 +0000)
CHANGES		patch \| blob \| history
modules/proxy/mod_proxy_fcgi.c		patch \| blob \| history