Merge r1640036, r1640331 from trunk:

mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
Fix a potential crash with response headers' size above 8K.

The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules.  mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.

Submitted by: ylavic, trawick
Reviewed by: ylavic, trawick, mrumph

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1641551 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index a41a630f4db4cdfa8d0c5b68cd8b7aa0d4b0f7de..a6ac6d5448552d58f59f5567da283d5a6cea87ca 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.11
+  
+  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+     mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with 
+     response headers' size above 8K.  [Yann Ylavic, Jeff Trawick]
 
   *) SECURITY: CVE-2014-3581 (cve.mitre.org)
      mod_cache: Avoid a crash when Content-Type has an empty value.

diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index 5e4a9378500ac7d91a00ac34b2b2f27f79774011..401fa9950788df0a20749c6c3775721f13e3c26e 100644 (file)
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -406,13 +406,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen--) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -555,7 +554,8 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf);
+                    int st = handle_headers(r, &header_state,
+                                            readbuf, readbuflen);
 
                     if (st == 1) {
                         int status;

diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index 4c9bfb84dcc49c99d6bac1aaccc0efeedd45fce2..9f570351638145d2cd4a80b7dedfc5ba8fe8b470 100644 (file)
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -308,13 +308,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen--) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -561,7 +560,8 @@ recv_again:
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state,
+                                                iobuf, readbuflen);
 
                         if (st == 1) {
                             int status;