From 15951e84566f8922738dd26d57176c964c2a6acc Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Tue, 15 Jul 2014 11:17:49 +0000 Subject: [PATCH] Merge r1610652 from trunk: SECURITY (CVE-2014-3523): Fix a memory consumption denial of service in the WinNT MPM used in all Windows installations. Workaround: AcceptFilter {none|connect} Submitted by: trawick Reviewed by: jorton, covener, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610653 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ server/mpm/winnt/child.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 7205eabe49..afd4dd64ad 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.4.10 + *) SECURITY (CVE-2014-0226): Fix a memory consumption denial of + service in the WinNT MPM (used in all Windows installations). + Workaround: AcceptFilter {none|connect} + [Jeff Trawick] + *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener] diff --git a/server/mpm/winnt/child.c b/server/mpm/winnt/child.c index 44692f2ce8..e4d1c150a1 100644 --- a/server/mpm/winnt/child.c +++ b/server/mpm/winnt/child.c @@ -601,8 +601,12 @@ reinit: /* target of data or connect upon too many AcceptEx failures */ b->length = BytesRead; context->overlapped.Pointer = b; } - else + else { + if (accf == 2) { + apr_bucket_free(buf); + } context->overlapped.Pointer = NULL; + } } else /* (accf = 0) e.g. 'none' */ { -- 2.40.0