From: Jeff Trawick Date: Mon, 28 Jun 2004 23:53:52 +0000 (+0000) Subject: CAN-2004-0493 - memory exhaustion denial of service X-Git-Tag: pre_ajp_proxy~131 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=46ff3a2fdc40657f67c040d04d7607879c8f25b9;p=apache CAN-2004-0493 - memory exhaustion denial of service Reviewed by: jerenkrantz git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@104059 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fce7c86ffe..b47cb9debb 100644 --- a/CHANGES +++ b/CHANGES @@ -388,6 +388,11 @@ Changes with Apache 2.1.0-dev Changes with Apache 2.0.50 + *) SECURITY: CAN-2004-0493 (cve.mitre.org) + Close a denial of service vulnerability identified by Georgi + Guninski which could lead to memory exhaustion with certain + input data. [Jeff Trawick] + *) mod_alias now emits a warning if it detects overlapping *Alias* directives. [André Malo] diff --git a/server/protocol.c b/server/protocol.c index fb53fadb63..6407a6f5a2 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -716,6 +716,23 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * continuations that span many many lines. */ apr_size_t fold_len = last_len + len + 1; /* trailing null */ + + if ((fold_len - 1) > r->server->limit_req_fieldsize) { + r->status = HTTP_BAD_REQUEST; + /* report what we have accumulated so far before the + * overflow (last_field) as the field with the problem + */ + apr_table_setn(r->notes, "error-notes", + apr_pstrcat(r->pool, + "Size of a request header field " + "after folding " + "exceeds server limit.
\n" + "
\n",
+                                               ap_escape_html(r->pool, last_field),
+                                               "
\n", NULL)); + return; + } + if (fold_len > alloc_len) { char *fold_buf; alloc_len += alloc_len;