From: Eric Covener Date: Mon, 14 Jul 2014 20:01:30 +0000 (+0000) Subject: backport r1610501 from trunk: X-Git-Tag: 2.4.10~22 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2a8f1c4307e3df22fbd05fc0aa3846bd896fef45;p=apache backport r1610501 from trunk: *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue. Submitted By: ylavic, covener Reviewed By: jorton, covener, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610503 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e3d0dd2188..bc3cd4a7f0 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,13 @@ Changes with Apache 2.4.10 Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton] + *) SECURITY: CVE-2014-0118 (cve.mitre.org) + mod_deflate: The DEFLATE input filter (inflates request bodies) now + limits the length and compression ratio of inflated request bodies to avoid + denial of sevice via highly compressed bodies. See directives + DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, + and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] + *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077). [Rainer Jung] diff --git a/docs/manual/mod/mod_deflate.xml b/docs/manual/mod/mod_deflate.xml index a8da0c2455..28fb5e2366 100644 --- a/docs/manual/mod/mod_deflate.xml +++ b/docs/manual/mod/mod_deflate.xml @@ -298,6 +298,59 @@ CustomLog logs/deflate_log deflate + +DeflateInflateLimitRequestBody +Maximum size of inflated request bodies +DeflateInflateLimitRequestBodyvalue +None, but LimitRequestBody applies after deflation +server configvirtual host +directory.htaccess +2.4.10 and later + + +

The DeflateInflateLimitRequestBody directive + specifies the maximum size of an inflated request body. If it is unset, + LimitRequestBody is applied to the + inflated body.

+ + + + +DeflateInflateRatioLimit +Maximum inflation ratio for request bodies +DeflateInflateRatioLimit value +200 +server configvirtual host +directory.htaccess +2.4.10 and later + + +

The DeflateInflateRatioLimit directive + specifies the maximum ratio of deflated to inflated size of an + inflated request body. This ratio is checked as the body is + streamed in, and if crossed more than + DeflateInflateRatioBurst times the request + will be terminated.

+ + + + +DeflateInflateRatioBurst +Maximum number of times the inflation ratio for request bodies + can be crossed +DeflateInflateRatioBurst value +3 +server configvirtual host +directory.htaccess +2.4.10 and later + + +

The DeflateInflateRatioBurst directive + specifies the maximum number of times the + DeflateInflateRatioLimit cab be crossed before + terminating the request.

+ + diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c index 8ba21d36ff..30115aae78 100644 --- a/modules/filters/mod_deflate.c +++ b/modules/filters/mod_deflate.c @@ -37,6 +37,7 @@ #include "httpd.h" #include "http_config.h" #include "http_log.h" +#include "http_core.h" #include "apr_lib.h" #include "apr_strings.h" #include "apr_general.h" @@ -54,6 +55,9 @@ static const char deflateFilterName[] = "DEFLATE"; module AP_MODULE_DECLARE_DATA deflate_module; +#define AP_INFLATE_RATIO_LIMIT 200 +#define AP_INFLATE_RATIO_BURST 3 + typedef struct deflate_filter_config_t { int windowSize; @@ -65,6 +69,12 @@ typedef struct deflate_filter_config_t char *note_output_name; } deflate_filter_config; +typedef struct deflate_dirconf_t { + apr_off_t inflate_limit; + int ratio_limit, + ratio_burst; +} deflate_dirconf_t; + /* RFC 1952 Section 2.3 defines the gzip header: * * +---+---+---+---+---+---+---+---+---+---+ @@ -206,6 +216,14 @@ static void *create_deflate_server_config(apr_pool_t *p, server_rec *s) return c; } +static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) +{ + deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); + dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; + dc->ratio_burst = AP_INFLATE_RATIO_BURST; + return dc; +} + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, const char *arg) { @@ -297,6 +315,55 @@ static const char *deflate_set_compressionlevel(cmd_parms *cmd, void *dummy, return NULL; } + +static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + char *errp; + + if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { + return "DeflateInflateLimitRequestBody is not parsable."; + } + if (*errp || dc->inflate_limit < 0) { + return "DeflateInflateLimitRequestBody requires a non-negative integer."; + } + + return NULL; +} + +static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioLimit must be positive"; + + dc->ratio_limit = i; + + return NULL; +} + +static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioBurst must be positive"; + + dc->ratio_burst = i; + + return NULL; +} + typedef struct deflate_ctx_t { z_stream stream; @@ -309,6 +376,8 @@ typedef struct deflate_ctx_t char header[10]; /* sizeof(gzip_header) */ apr_size_t header_len; int zlib_flags; + int ratio_hits; + apr_off_t inflate_total; unsigned int consume_pos, consume_len; unsigned int filter_init:1; @@ -428,6 +497,22 @@ static void deflate_check_etag(request_rec *r, const char *transform) } } +/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ +static int check_ratio(request_rec *r, deflate_ctx *ctx, + const deflate_dirconf_t *dc) +{ + if (ctx->stream.total_in) { + int ratio = ctx->stream.total_out / ctx->stream.total_in; + if (ratio < dc->ratio_limit) { + ctx->ratio_hits = 0; + } + else if (++ctx->ratio_hits > dc->ratio_burst) { + return 0; + } + } + return 1; +} + static int have_ssl_compression(request_rec *r) { const char *comp; @@ -1001,6 +1086,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; + apr_off_t inflate_limit; /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES) { @@ -1008,6 +1095,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx || ctx->header_len < sizeof(ctx->header)) { apr_size_t len; @@ -1124,6 +1212,12 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, apr_brigade_cleanup(ctx->bb); } + inflate_limit = dc->inflate_limit; + if (inflate_limit == 0) { + /* The core is checking the deflated body, we'll check the inflated */ + inflate_limit = ap_get_limit_req_body(f->r); + } + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); @@ -1174,6 +1268,17 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_b = apr_bucket_heap_create((char *)ctx->buffer, len, @@ -1228,9 +1333,30 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, while (ctx->stream.avail_in != 0) { if (ctx->stream.avail_out == 0) { apr_bucket *tmp_heap; + ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } + + if (!check_ratio(r, ctx, dc)) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, NULL, f->c->bucket_alloc); @@ -1376,6 +1502,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; /* Do nothing if asked to filter nothing. */ if (APR_BRIGADE_EMPTY(bb)) { @@ -1383,6 +1510,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx) { @@ -1661,6 +1789,14 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, while (ctx->stream.avail_in != 0) { if (ctx->stream.avail_out == 0) { + if (!check_ratio(r, ctx, dc)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; @@ -1747,12 +1883,20 @@ static const command_rec deflate_filter_cmds[] = { "Set the Deflate Memory Level (1-9)"), AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, "Set the Deflate Compression Level (1-9)"), + AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, + "Set a limit on size of inflated input"), + AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, + "Set the inflate ratio limit above which inflation is " + "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), + AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, + "Set the maximum number of following inflate ratios above limit " + "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), {NULL} }; AP_DECLARE_MODULE(deflate) = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_deflate_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_deflate_server_config, /* server config */ NULL, /* merge server config */