Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
+ the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
+ boundaries and thus revealing possibly sensitive memory contents to the
+ client. [Ruediger Pluem]
+
*) mod_proxy_http: Do send keep-alive header if the client sent
connection: keep-alive and do not close backend connection if the client
sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton]
{
apr_byte_t result;
apr_status_t rc;
+ apr_uint16_t expected_len;
rc = ajp_msg_get_uint8(msg, &result);
if (rc != APR_SUCCESS) {
if (rc != APR_SUCCESS) {
return rc;
}
+ /*
+ * msg->len contains the complete length of the message including all
+ * headers. So the expected length for a CMD_AJP13_SEND_BODY_CHUNK is
+ * msg->len minus the sum of
+ * AJP_HEADER_LEN : The length of the header to every AJP message.
+ * AJP_HEADER_SZ_LEN : The header giving the size of the chunk.
+ * 1 : The CMD_AJP13_SEND_BODY_CHUNK indicator byte (0x03).
+ * 1 : The last byte of this message always seems to be
+ * 0x00 and is not part of the chunk.
+ */
+ expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+ if (*len != expected_len) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "ajp_parse_data: Wrong chunk length. Length of chunk is %i,"
+ " expected length is %i.", *len, expected_len);
+ return AJP_EBAD_HEADER;
+ }
*ptr = (char *)&(msg->buf[msg->pos]);
return APR_SUCCESS;
}