From: Yann Ylavic <ylavic@apache.org>
Date: Sun, 16 Nov 2014 22:04:39 +0000 (+0000)
Subject: mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
X-Git-Tag: 2.5.0-alpha~3706
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=54f079749858377dfff23843956fc34d513eb40c;p=apache

mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
Fix a potential crash with response headers' size above 8K.

The code changes to mod_authnz_fcgi keep the handle_headers()
function in sync between the two modules.  mod_authnz_fcgi
does not have this issue because it allocated a separate byte
for terminating '\0'.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640036 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b91a5a07af..2fb0c5ef57 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
   
+  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+     mod_proxy_fcgi, mod_authnz_fcgi: Fix a potential crash with response
+     headers' size above 8K. [Teguh <chain rop.io>, Yann Ylavic, Jeff Trawick]
+
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
      r1608202. [Eric Covener]
  
diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index 5e4a937850..401fa99507 100644
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -406,13 +406,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen--) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -555,7 +554,8 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf);
+                    int st = handle_headers(r, &header_state,
+                                            readbuf, readbuflen);
 
                     if (st == 1) {
                         int status;
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index ab1118238b..79d142cdbe 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -310,13 +310,12 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen--) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -563,7 +562,8 @@ recv_again:
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state,
+                                                iobuf, readbuflen);
 
                         if (st == 1) {
                             int status;