From: Jeff Trawick <trawick@apache.org>
Date: Tue, 15 Jul 2014 11:17:49 +0000 (+0000)
Subject: Merge r1610652 from trunk:
X-Git-Tag: 2.4.10~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=15951e84566f8922738dd26d57176c964c2a6acc;p=apache

Merge r1610652 from trunk:

SECURITY (CVE-2014-3523): Fix a memory consumption denial of
service in the WinNT MPM used in all Windows installations.
Workaround: AcceptFilter <protocol> {none|connect}

Submitted by: trawick
Reviewed by: jorton, covener, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610653 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7205eabe49..afd4dd64ad 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 
 Changes with Apache 2.4.10
 
+  *) SECURITY (CVE-2014-0226): Fix a memory consumption denial of
+     service in the WinNT MPM (used in all Windows installations).
+     Workaround: AcceptFilter <protocol> {none|connect}
+     [Jeff Trawick]
+
   *) SECURITY: CVE-2014-0226 (cve.mitre.org)
      Fix a race condition in scoreboard handling, which could lead to
      a heap buffer overflow.  [Joe Orton, Eric Covener]
diff --git a/server/mpm/winnt/child.c b/server/mpm/winnt/child.c
index 44692f2ce8..e4d1c150a1 100644
--- a/server/mpm/winnt/child.c
+++ b/server/mpm/winnt/child.c
@@ -601,8 +601,12 @@ reinit: /* target of data or connect upon too many AcceptEx failures */
                 b->length = BytesRead;
                 context->overlapped.Pointer = b;
             }
-            else
+            else {
+                if (accf == 2) {
+                    apr_bucket_free(buf);
+                }
                 context->overlapped.Pointer = NULL;
+            }
         }
         else /* (accf = 0)  e.g. 'none' */
         {