SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference

in Content-Type handling.

mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.

Submitted By: Mark Montague <mark catseye.org>
Reviewed By: Jan Kaluza

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1624234 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 7e3c478519acf5017b1b335d3ee619503eda401b..deed72ceef1c9111eb9ea37cd66b5a117ed0d171 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+     mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
+     [Mark Montague <mark catseye.org>, Jan Kaluza]
+
   *) mod_proxy: Now allow for 191 character worker names, with non-fatal
      errors if name is truncated. PR53218. [Jim Jagielski]
 

diff --git a/modules/cache/cache_util.c b/modules/cache/cache_util.c
index 5b57003dd95eb777f17113f0284a688732dea09b..6862b5335d24d51406d19dd009d223a504234bc9 100644 (file)
--- a/modules/cache/cache_util.c
+++ b/modules/cache/cache_util.c
@@ -1276,8 +1276,10 @@ apr_table_t *cache_merge_headers_out(request_rec *r)
 
     if (r->content_type
             && !apr_table_get(headers_out, "Content-Type")) {
-        apr_table_setn(headers_out, "Content-Type",
-                       ap_make_content_type(r, r->content_type));
+        const char *ctype = ap_make_content_type(r, r->content_type);
+        if (ctype) {
+            apr_table_setn(headers_out, "Content-Type", ctype);
+        }
     }
 
     if (r->content_encoding