From 2e5c23a8727c125332be3c0f74bc9a6e7e6bea86 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 14 Nov 2014 18:18:15 +0000 Subject: [PATCH] mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K. (similar to r1638818 for mod_proxy_fcgi). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1639717 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/log-message-tags/next-number | 2 +- modules/aaa/mod_authnz_fcgi.c | 27 ++++++++++++++++++++------- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 740c9f6069..74e462be05 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,9 @@ Changes with Apache 2.5.0 mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K. [Teguh , Yann Ylavic] + *) mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K. + [Yann Ylavic] + *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since r1608202. [Eric Covener] diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index c5efbfab64..a59062df09 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2821 +2822 diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c index 5e4a937850..360d5ce866 100644 --- a/modules/aaa/mod_authnz_fcgi.c +++ b/modules/aaa/mod_authnz_fcgi.c @@ -406,13 +406,12 @@ enum { * * Returns 0 if it can't find the end of the headers, and 1 if it found the * end of the headers. */ -static int handle_headers(request_rec *r, - int *state, - char *readbuf) +static int handle_headers(request_rec *r, int *state, + char *readbuf, apr_size_t readlen) { const char *itr = readbuf; - while (*itr) { + while (readlen) { if (*itr == '\r') { switch (*state) { case HDR_STATE_GOT_CRLF: @@ -443,13 +442,17 @@ static int handle_headers(request_rec *r, break; } } - else { + else if (*itr == '\t' || !apr_iscntrl(*itr)) { *state = HDR_STATE_READING_HEADERS; } + else { + return -1; + } if (*state == HDR_STATE_DONE_WITH_HEADERS) break; + --readlen; ++itr; } @@ -555,7 +558,17 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf, APR_BRIGADE_INSERT_TAIL(ob, b); if (!seen_end_of_headers) { - int st = handle_headers(r, &header_state, readbuf); + int st = handle_headers(r, &header_state, readbuf, + readbuflen); + + if (st == -1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + APLOGNO(02821) "%s: error reading " + "headers from %s", + fn, conf->backend); + rv = APR_EINVAL; + break; + } if (st == 1) { int status; @@ -646,7 +659,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf, /* * Read/discard any trailing padding. */ - if (plen) { + if (rv == APR_SUCCESS && plen) { rv = recv_data_full(conf, r, s, readbuf, plen); if (rv != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, -- 2.50.1