If the sum of all ranges in a request is not smaller than the file, fall back

to 200.  This takes care of potential DoS issues from ranges like
0-100,1000-,0-100,1000-,...

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1162331 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http/byterange_filter.c b/modules/http/byterange_filter.c
index dc9092f1cc0df6cf73b748178e24d5aacf15063a..359f870d3f820c158c47c81ffd0329d70fffbe61 100644 (file)
--- a/modules/http/byterange_filter.c
+++ b/modules/http/byterange_filter.c
@@ -420,7 +420,7 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
     char *cur, **new;
     apr_array_header_t *merged;
     int num_ranges = 0;
-    apr_off_t ostart = 0, oend = 0;
+    apr_off_t ostart = 0, oend = 0, sum_lenghts = 0;
     int in_merge = 0;
     indexes_t *idx;
     int overlaps = 0, reversals = 0;
@@ -560,6 +560,7 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
             idx = (indexes_t *)apr_array_push(indexes);
             idx->start = ostart;
             idx->end = oend;
+            sum_lenghts += oend - ostart + 1;
             /* new set again */
             in_merge = 1;
             ostart = start;
@@ -575,8 +576,14 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
         idx = (indexes_t *)apr_array_push(indexes);
         idx->start = ostart;
         idx->end = oend;
+        sum_lenghts += oend - ostart + 1;
         num_ranges++;
     }
+    if (sum_lenghts >= clength) {
+        ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+                      "Sum of ranges not smaller than file, ignoring.");
+        return 0;
+    }
         
     r->status = HTTP_PARTIAL_CONTENT;
     r->range = apr_array_pstrcat(r->pool, merged, ',');