Fix a potential crash with response headers' size above 8K.
The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules. mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1640036 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+ mod_proxy_fcgi, mod_authnz_fcgi: Fix a potential crash with response
+ headers' size above 8K. [Teguh <chain rop.io>, Yann Ylavic, Jeff Trawick]
+
*) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since
r1608202. [Eric Covener]
*
* Returns 0 if it can't find the end of the headers, and 1 if it found the
* end of the headers. */
-static int handle_headers(request_rec *r,
- int *state,
- char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+ const char *readbuf, apr_size_t readlen)
{
const char *itr = readbuf;
- while (*itr) {
+ while (readlen--) {
if (*itr == '\r') {
switch (*state) {
case HDR_STATE_GOT_CRLF:
APR_BRIGADE_INSERT_TAIL(ob, b);
if (!seen_end_of_headers) {
- int st = handle_headers(r, &header_state, readbuf);
+ int st = handle_headers(r, &header_state,
+ readbuf, readbuflen);
if (st == 1) {
int status;
*
* Returns 0 if it can't find the end of the headers, and 1 if it found the
* end of the headers. */
-static int handle_headers(request_rec *r,
- int *state,
- char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+ const char *readbuf, apr_size_t readlen)
{
const char *itr = readbuf;
- while (*itr) {
+ while (readlen--) {
if (*itr == '\r') {
switch (*state) {
case HDR_STATE_GOT_CRLF:
APR_BRIGADE_INSERT_TAIL(ob, b);
if (! seen_end_of_headers) {
- int st = handle_headers(r, &header_state, iobuf);
+ int st = handle_headers(r, &header_state,
+ iobuf, readbuflen);
if (st == 1) {
int status;
projects / apache / commitdiff