SECURITY: CVE-2017-7668 (cve.mitre.org)

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.

Merge r1796350 from trunk:
short-circuit on NULL

Submitted by: jchampion, covener
Reviewed by: covener, ylavic, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796856 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 456596a6160454f248bdb0d2a08f1b252737886d..87abfa95d81ec722a38776d87c456d493b45fbf7 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -120,10 +120,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: Terminate token processing on NULL.
-     trunk patch: http://svn.apache.org/r1796350
-     2.4.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk .
-     +1: covener, ylavic, jim
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/server/util.c b/server/util.c
index 6667ac2e46394e23617eb25ed8dd8410fa9e05d2..830ce5b38bc50ec2a3fafad3f4ca1eb0cd9accc1 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -1679,10 +1679,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
 
     s = (const unsigned char *)line;
     for (;;) {
-        /* find start of token, skip all stop characters, note NUL
-         * isn't a token stop, so we don't need to test for it
-         */
-        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+        /* find start of token, skip all stop characters */
+        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
             ++s;
         }
         if (!*s) {