mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.

(similar to r1638818 for mod_proxy_fcgi).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1639717 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 740c9f6069f9ac856c4ecd0b9ebb1db84419a8a1..74e462be05a32ee75fb59218e6b4e01e6377cc17 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,9 @@ Changes with Apache 2.5.0
      mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
      [Teguh <chain rop.io>, Yann Ylavic]
 
+  *) mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.
+     [Yann Ylavic]
+
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
      r1608202. [Eric Covener]
  

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index c5efbfab6446045a36b555d238a61deb36bb373c..a59062df096af80f0a4a2970794560e9fef2f5c2 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2821
+2822

diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index 5e4a9378500ac7d91a00ac34b2b2f27f79774011..360d5ce8660b924eb20e8ef5a071e19066646534 100644 (file)
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -406,13 +406,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -443,13 +442,17 @@ static int handle_headers(request_rec *r,
                      break;
             }
         }
-        else {
+        else if (*itr == '\t' || !apr_iscntrl(*itr)) {
             *state = HDR_STATE_READING_HEADERS;
         }
+        else {
+            return -1;
+        }
 
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
+        --readlen;
         ++itr;
     }
 
@@ -555,7 +558,17 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf);
+                    int st = handle_headers(r, &header_state, readbuf,
+                                            readbuflen);
+
+                    if (st == -1) {
+                        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                                      APLOGNO(02821) "%s: error reading "
+                                      "headers from %s",
+                                      fn, conf->backend);
+                        rv = APR_EINVAL;
+                        break;
+                    }
 
                     if (st == 1) {
                         int status;
@@ -646,7 +659,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
         /*
          * Read/discard any trailing padding.
          */
-        if (plen) {
+        if (rv == APR_SUCCESS && plen) {
             rv = recv_data_full(conf, r, s, readbuf, plen);
             if (rv != APR_SUCCESS) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,