* Fix a regression in the CVE-2011-3192 byterange fix:

  Range: bytes=-1

  Resulted in the first two bytes delivered, not in the last one.

PR: 51748
Submitted by: low_priority <lowprio20 gmail.com>
Reviewed by: rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1163985 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 5dd40d6d7a34d04d9a509d3d08a048b342231d02..86c1af7ee1d768d1bcf51fbfbe84f009ee202bdd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,15 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) Fix a regression in the CVE-2011-3192 byterange fix.
+     PR 51748. [low_priority <lowprio20 gmail.com>]
+
+  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+     core: Fix handling of byte-range requests to use less memory, to avoid
+     denial of service. If the sum of all ranges in a request is larger than
+     the original file, ignore the ranges and send the complete file.
+     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
+
   *) core: Add MaxRanges directive to control the number of ranges permitted
      before returning the entire resource, with a default limit of 200. 
      [Eric Covener]

diff --git a/modules/http/byterange_filter.c b/modules/http/byterange_filter.c
index 7fe003e3ff7f43cb50984d9ba3caa209f06d4ed8..18b31223664ba3a6360308924b8976d72f1a0cd3 100644 (file)
--- a/modules/http/byterange_filter.c
+++ b/modules/http/byterange_filter.c
@@ -544,7 +544,7 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
             return 0;
         }
 
-        if (dash == range) {
+        if (dash == cur) {
             /* In the form "-5" */
             if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) {
                 return 0;