From 31e1a51f0f614de2d40711a0bd4324c6b39ffc66 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Sun, 16 Nov 2014 21:52:40 +0000
Subject: [PATCH] Revert r1638818, r1639812, r1639717 and r1639814 for new
 staging.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1640034 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                           |  7 -------
 docs/log-message-tags/next-number |  2 +-
 modules/aaa/mod_authnz_fcgi.c     | 22 ++++++----------------
 modules/proxy/mod_proxy_fcgi.c    | 24 +++++-------------------
 4 files changed, 12 insertions(+), 43 deletions(-)

diff --git a/CHANGES b/CHANGES
index 74e462be05..b91a5a07af 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,13 +1,6 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
   
-  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
-     mod_proxy_fcgi: Fix a potential crash with response headers' size above 8K.
-     [Teguh <chain rop.io>, Yann Ylavic]
-
-  *) mod_authnz_fcgi: Fix a potential crash with response headers' size above 8K.
-     [Yann Ylavic]
-
   *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since 
      r1608202. [Eric Covener]
  
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index a59062df09..c5efbfab64 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2822
+2821
diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index 1385b82e0f..5e4a937850 100644
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -406,12 +406,13 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r, int *state,
-                          char *readbuf, apr_size_t readlen)
+static int handle_headers(request_rec *r,
+                          int *state,
+                          char *readbuf)
 {
     const char *itr = readbuf;
 
-    while (readlen) {
+    while (*itr) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -449,7 +450,6 @@ static int handle_headers(request_rec *r, int *state,
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
-        --readlen;
         ++itr;
     }
 
@@ -555,17 +555,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
                 APR_BRIGADE_INSERT_TAIL(ob, b);
 
                 if (!seen_end_of_headers) {
-                    int st = handle_headers(r, &header_state, readbuf,
-                                            readbuflen);
-
-                    if (st == -1) {
-                        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                                      APLOGNO(02821) "%s: error reading "
-                                      "headers from %s",
-                                      fn, conf->backend);
-                        rv = APR_EINVAL;
-                        break;
-                    }
+                    int st = handle_headers(r, &header_state, readbuf);
 
                     if (st == 1) {
                         int status;
@@ -656,7 +646,7 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
         /*
          * Read/discard any trailing padding.
          */
-        if (rv == APR_SUCCESS && plen) {
+        if (plen) {
             rv = recv_data_full(conf, r, s, readbuf, plen);
             if (rv != APR_SUCCESS) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index 9a4dd77a3e..ab1118238b 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -18,8 +18,6 @@
 #include "util_fcgi.h"
 #include "util_script.h"
 
-#include "apr_lib.h" /* for apr_iscntrl() */
-
 module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
 
 /*
@@ -312,12 +310,13 @@ enum {
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r, int *state,
-                          const char *readbuf, apr_size_t readlen)
+static int handle_headers(request_rec *r,
+                          int *state,
+                          char *readbuf)
 {
     const char *itr = readbuf;
 
-    while (readlen) {
+    while (*itr) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -355,7 +354,6 @@ static int handle_headers(request_rec *r, int *state,
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
-        --readlen;
         ++itr;
     }
 
@@ -565,14 +563,7 @@ recv_again:
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf,
-                                                readbuflen);
-
-                        if (st == -1) {
-                            *err = "parsing response headers";
-                            rv = APR_EINVAL;
-                            break;
-                        }
+                        int st = handle_headers(r, &header_state, iobuf);
 
                         if (st == 1) {
                             int status;
@@ -693,11 +684,6 @@ recv_again:
                 break;
             }
 
-            if (*err) {
-                /* stop on error in the above switch */
-                break;
-            }
-
             if (plen) {
                 rv = get_data_full(conn, iobuf, plen);
                 if (rv != APR_SUCCESS) {
-- 
2.40.0