From: Graham Leggett <minfrin@apache.org>
Date: Sat, 11 May 2013 11:47:17 +0000 (+0000)
Subject: mod_proxy: Reject invalid values for Max-Forwards.
X-Git-Tag: 2.5.0-alpha~5473
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9a80dab0a163e93976ffd9d96832620d0cb6933b;p=apache

mod_proxy: Reject invalid values for Max-Forwards.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1481302 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 01527d9020..9497137468 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
+     Co-Advisor <coad measurement-factory.com>]
+
   *) mod_cache: If a 304 response indicates an entity not currently cached, then
      the cache MUST disregard the response and repeat the request without the
      conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index a10ae4d925..d6a6705970 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -879,7 +879,7 @@ static int proxy_handler(request_rec *r)
     int i, rc, access_status;
     int direct_connect = 0;
     const char *str;
-    long maxfwd;
+    apr_int64_t maxfwd;
     proxy_balancer *balancer = NULL;
     proxy_worker *worker = NULL;
     int attempts = 0, max_attempts = 0;
@@ -891,8 +891,14 @@ static int proxy_handler(request_rec *r)
 
     /* handle max-forwards / OPTIONS / TRACE */
     if ((str = apr_table_get(r->headers_in, "Max-Forwards"))) {
-        maxfwd = strtol(str, NULL, 10);
-        if (maxfwd < 1) {
+        char *end;
+        maxfwd = apr_strtoi64(str, &end, 10);
+        if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST,
+                    apr_psprintf(r->pool,
+                            "Max-Forwards value '%s' could not be parsed", str));
+        }
+        else if (maxfwd == 0) {
             switch (r->method_number) {
             case M_TRACE: {
                 int access_status;
@@ -913,7 +919,7 @@ static int proxy_handler(request_rec *r)
                 return OK;
             }
             default: {
-                return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+                return ap_proxyerror(r, HTTP_BAD_REQUEST,
                                      "Max-Forwards has reached zero - proxy loop?");
             }
             }