From: Ruediger Pluem <rpluem@apache.org>
Date: Sun, 5 Mar 2006 15:22:18 +0000 (+0000)
Subject: * Crosscheck the length of the body chunk with the length of the ajp message
X-Git-Tag: 2.3.0~2516
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b5ca8f8f3febc6d6b3412e621bd7357fc9062d83;p=apache

* Crosscheck the length of the body chunk with the length of the ajp message
  to prevent readings beyond the buffer boundaries which possibly could reveal
  sensitive memory contents to the client.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@383339 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 391777e5d5..1bbfd55bf3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
+     the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
+     boundaries and thus revealing possibly sensitive memory contents to the
+     client. [Ruediger Pluem]
+
   *) mod_proxy_http: Do send keep-alive header if the client sent
      connection: keep-alive and do not close backend connection if the client
      sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton]
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 03bfec4e04..07a9f3293d 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -683,6 +683,7 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
 {
     apr_byte_t result;
     apr_status_t rc;
+    apr_uint16_t expected_len;
 
     rc = ajp_msg_get_uint8(msg, &result);
     if (rc != APR_SUCCESS) {
@@ -699,6 +700,23 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
     if (rc != APR_SUCCESS) {
         return rc;
     }
+    /*
+     * msg->len contains the complete length of the message including all
+     * headers. So the expected length for a CMD_AJP13_SEND_BODY_CHUNK is
+     * msg->len minus the sum of
+     * AJP_HEADER_LEN    : The length of the header to every AJP message.
+     * AJP_HEADER_SZ_LEN : The header giving the size of the chunk.
+     * 1                 : The CMD_AJP13_SEND_BODY_CHUNK indicator byte (0x03).
+     * 1                 : The last byte of this message always seems to be
+     *                     0x00 and is not part of the chunk.
+     */
+    expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+    if (*len != expected_len) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+               "ajp_parse_data: Wrong chunk length. Length of chunk is %i,"
+               " expected length is %i.", *len, expected_len);
+        return AJP_EBAD_HEADER;
+    }
     *ptr = (char *)&(msg->buf[msg->pos]);
     return APR_SUCCESS;
 }