From c7c14f473fc0b925e377fea9c7b79f82ece0c23b Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Thu, 1 Sep 2011 10:25:45 +0000 Subject: [PATCH] * Fix a regression in the CVE-2011-3192 byterange fix: Range: bytes=-1 Resulted in the first two bytes delivered, not in the last one. PR: 51748 Submitted by: low_priority Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1163985 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 9 +++++++++ modules/http/byterange_filter.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 5dd40d6d7a..86c1af7ee1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,15 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) Fix a regression in the CVE-2011-3192 byterange fix. + PR 51748. [low_priority ] + + *) SECURITY: CVE-2011-3192 (cve.mitre.org) + core: Fix handling of byte-range requests to use less memory, to avoid + denial of service. If the sum of all ranges in a request is larger than + the original file, ignore the ranges and send the complete file. + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] + *) core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener] diff --git a/modules/http/byterange_filter.c b/modules/http/byterange_filter.c index 7fe003e3ff..18b3122366 100644 --- a/modules/http/byterange_filter.c +++ b/modules/http/byterange_filter.c @@ -544,7 +544,7 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength, return 0; } - if (dash == range) { + if (dash == cur) { /* In the form "-5" */ if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) { return 0; -- 2.49.0