Revert r1638818, r1639812, r1639717 and r1639814 for new staging.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640034 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 74e462be05a32ee75fb59218e6b4e01e6377cc17..b91a5a07af3d294270488df6421b78f7e1cc6296 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,13 +1,6 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
   
-  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
-     mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
-     [Teguh <chain rop.io>, Yann Ylavic]
-
-  *) mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.
-     [Yann Ylavic]
-
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
      r1608202. [Eric Covener]
  

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index a59062df096af80f0a4a2970794560e9fef2f5c2..c5efbfab6446045a36b555d238a61deb36bb373c 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2822
+2821

diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index 1385b82e0fab85936b1f55befb8d1b0c1e6a4031..5e4a9378500ac7d91a00ac34b2b2f27f79774011 100644 (file)
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -406,12 +406,13 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r, int *state,
-                          char *readbuf, apr_size_t readlen)
+static int handle_headers(request_rec *r,
+                          int *state,
+                          char *readbuf)
 {
     const char *itr = readbuf;
 
-    while (readlen) {
+    while (*itr) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -449,7 +450,6 @@ static int handle_headers(request_rec *r, int *state,
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
-        --readlen;
         ++itr;
     }
 
@@ -555,17 +555,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf,
-                                            readbuflen);
-
-                    if (st == -1) {
-                        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                                      APLOGNO(02821) "%s: error reading "
-                                      "headers from %s",
-                                      fn, conf->backend);
-                        rv = APR_EINVAL;
-                        break;
-                    }
+                    int st = handle_headers(r, &header_state, readbuf);
 
                     if (st == 1) {
                         int status;
@@ -656,7 +646,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
         /*
          * Read/discard any trailing padding.
          */
-        if (rv == APR_SUCCESS && plen) {
+        if (plen) {
             rv = recv_data_full(conf, r, s, readbuf, plen);
             if (rv != APR_SUCCESS) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,

diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index 9a4dd77a3e48145d10fc000316cbd31784f1c5a5..ab1118238bf09628871d30c2564725703100a528 100644 (file)
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -18,8 +18,6 @@
 #include "util_fcgi.h"
 #include "util_script.h"
 
-#include "apr_lib.h" /* for apr_iscntrl() */
-
 module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
 
 /*
@@ -312,12 +310,13 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r, int *state,
-                          const char *readbuf, apr_size_t readlen)
+static int handle_headers(request_rec *r,
+                          int *state,
+                          char *readbuf)
 {
     const char *itr = readbuf;
 
-    while (readlen) {
+    while (*itr) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -355,7 +354,6 @@ static int handle_headers(request_rec *r, int *state,
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
-        --readlen;
         ++itr;
     }
 
@@ -565,14 +563,7 @@ recv_again:
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf,
-                                                readbuflen);
-
-                        if (st == -1) {
-                            *err = "parsing response headers";
-                            rv = APR_EINVAL;
-                            break;
-                        }
+                        int st = handle_headers(r, &header_state, iobuf);
 
                         if (st == 1) {
                             int status;
@@ -693,11 +684,6 @@ recv_again:
                 break;
             }
 
-            if (*err) {
-                /* stop on error in the above switch */
-                break;
-            }
-
             if (plen) {
                 rv = get_data_full(conn, iobuf, plen);
                 if (rv != APR_SUCCESS) {