From: Jim Jagielski <jim@apache.org>
Date: Thu, 23 May 2013 12:54:09 +0000 (+0000)
Subject: Merge r1481302, r1481397 from trunk:
X-Git-Tag: 2.4.5~252
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea640a4caa459b52657838fa2a44bd93f8fa4890;p=apache

Merge r1481302, r1481397 from trunk:

mod_proxy: Reject invalid values for Max-Forwards.


Adjust format string

type was changed by r1481302

Submitted by: minfrin, sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1485673 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f2b1a918a3..7735c4be9d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.5
 
+  *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
+     Co-Advisor <coad measurement-factory.com>]
+
   *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
      semantics of the proxy-revalidate directive. [Graham Leggett]
 
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 83c003b805..c6459728ee 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -879,7 +879,7 @@ static int proxy_handler(request_rec *r)
     int i, rc, access_status;
     int direct_connect = 0;
     const char *str;
-    long maxfwd;
+    apr_int64_t maxfwd;
     proxy_balancer *balancer = NULL;
     proxy_worker *worker = NULL;
     int attempts = 0, max_attempts = 0;
@@ -891,8 +891,14 @@ static int proxy_handler(request_rec *r)
 
     /* handle max-forwards / OPTIONS / TRACE */
     if ((str = apr_table_get(r->headers_in, "Max-Forwards"))) {
-        maxfwd = strtol(str, NULL, 10);
-        if (maxfwd < 1) {
+        char *end;
+        maxfwd = apr_strtoi64(str, &end, 10);
+        if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST,
+                    apr_psprintf(r->pool,
+                            "Max-Forwards value '%s' could not be parsed", str));
+        }
+        else if (maxfwd == 0) {
             switch (r->method_number) {
             case M_TRACE: {
                 int access_status;
@@ -913,7 +919,7 @@ static int proxy_handler(request_rec *r)
                 return OK;
             }
             default: {
-                return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+                return ap_proxyerror(r, HTTP_BAD_REQUEST,
                                      "Max-Forwards has reached zero - proxy loop?");
             }
             }
@@ -926,7 +932,7 @@ static int proxy_handler(request_rec *r)
     }
     if (maxfwd >= 0) {
         apr_table_setn(r->headers_in, "Max-Forwards",
-                       apr_psprintf(r->pool, "%ld", maxfwd));
+                       apr_psprintf(r->pool, "%" APR_INT64_T_FMT, maxfwd));
     }
 
     if (r->method_number == M_TRACE) {