]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 69637df)
SECURITY (CVE-2013-4352): Fix a NULL pointer deference which allowed
authorGraham Leggett <minfrin@apache.org>
Sat, 14 Sep 2013 13:32:25 +0000 (13:32 +0000)
committerGraham Leggett <minfrin@apache.org>
Sat, 14 Sep 2013 13:32:25 +0000 (13:32 +0000)
untrusted origin servers to crash mod_cache in a forward proxy configuration.

mod_cache: Avoid a crash with strcmp() when the hostname is not provided.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1523235 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | history
modules/cache/cache_storage.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index f2de0f886a01cd2acada04995463f3813a975dbe..026428b23596a8107ba4558dec7b77d4d4164921 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided.
+     [Graham Leggett]
+
   *) mod_lua: Add rudimentary support for WebSocket interaction. This is 
      currently request-bound and only supports the WS protocol. [Daniel Gruno]
 
diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c
index af60a39b84ff36367c96bcfd6a6878663b7a6294..782dc712fcfc2639c646c895977a739258170f47 100644 (file)
--- a/modules/cache/cache_storage.c
+++ b/modules/cache/cache_storage.c
@@ -713,7 +713,9 @@ int cache_invalidate(cache_request_rec *cache, request_rec *r)
                 || APR_SUCCESS
                         != cache_canonicalise_key(r, r->pool, location,
                                 &location_uri, &location_key)
-                || strcmp(r->parsed_uri.hostname, location_uri.hostname)) {
+                || !(r->parsed_uri.hostname && location_uri.hostname
+                        && !strcmp(r->parsed_uri.hostname,
+                                location_uri.hostname))) {
             location_key = NULL;
         }
     }
@@ -726,8 +728,9 @@ int cache_invalidate(cache_request_rec *cache, request_rec *r)
                 || APR_SUCCESS
                         != cache_canonicalise_key(r, r->pool, content_location,
                                 &content_location_uri, &content_location_key)
-                || strcmp(r->parsed_uri.hostname,
-                        content_location_uri.hostname)) {
+                || !(r->parsed_uri.hostname && content_location_uri.hostname
+                        && !strcmp(r->parsed_uri.hostname,
+                                content_location_uri.hostname))) {
             content_location_key = NULL;
         }
     }
Unnamed repository; edit this file 'description' to name the repository.