httpd/httpd-2.4.10-CVE-2014-3583.patch

--- a/modules/proxy/mod_proxy_fcgi.c	2014/11/12 15:32:12	1638817
+++ b/modules/proxy/mod_proxy_fcgi.c	2014/11/12 15:41:07	1638818
@@ -18,6 +18,8 @@
 #include "util_fcgi.h"
 #include "util_script.h"
 
+#include "apr_lib.h" /* for apr_iscntrl() */
+
 module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
 
 /*
@@ -310,13 +312,12 @@
  *
  * Returns 0 if it can't find the end of the headers, and 1 if it found the
  * end of the headers. */
-static int handle_headers(request_rec *r,
-                          int *state,
-                          char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+                          const char *readbuf, apr_size_t readlen)
 {
     const char *itr = readbuf;
 
-    while (*itr) {
+    while (readlen) {
         if (*itr == '\r') {
             switch (*state) {
                 case HDR_STATE_GOT_CRLF:
@@ -347,13 +348,17 @@
                      break;
             }
         }
-        else {
+        else if (*itr == '\t' || !apr_iscntrl(*itr)) {
             *state = HDR_STATE_READING_HEADERS;
         }
+        else {
+            return -1;
+        }
 
         if (*state == HDR_STATE_DONE_WITH_HEADERS)
             break;
 
+        --readlen;
         ++itr;
     }
 
@@ -563,7 +568,14 @@
                     APR_BRIGADE_INSERT_TAIL(ob, b);
 
                     if (! seen_end_of_headers) {
-                        int st = handle_headers(r, &header_state, iobuf);
+                        int st = handle_headers(r, &header_state, iobuf,
+                                                readbuflen);
+
+                        if (st == -1) {
+                            *err = "parsing response headers";
+                            rv = APR_EINVAL;
+                            break;
+                        }
 
                         if (st == 1) {
                             int status;
@@ -684,6 +696,11 @@
                 break;
             }
 
+            if (*err) {
+                /* stop on error in the above switch */
+                break;
+            }
+
             if (plen) {
                 rv = get_data_full(conn, iobuf, plen);
                 if (rv != APR_SUCCESS) {
core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704) - mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581) - mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583) - mod_lua: fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments (CVE-2014-8109) 2014-12-17 08:25:50 +00:00			`--- a/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:32:12 1638817`
			`+++ b/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:41:07 1638818`
			`@@ -18,6 +18,8 @@`
			`#include "util_fcgi.h"`
			`#include "util_script.h"`

			`+#include "apr_lib.h" /* for apr_iscntrl() */`
			`+`
			`module AP_MODULE_DECLARE_DATA proxy_fcgi_module;`

			`/*`
			`@@ -310,13 +312,12 @@`
			`*`
			`* Returns 0 if it can't find the end of the headers, and 1 if it found the`
			`* end of the headers. */`
			`-static int handle_headers(request_rec *r,`
			`- int *state,`
			`- char *readbuf)`
			`+static int handle_headers(request_rec r, int state,`
			`+ const char *readbuf, apr_size_t readlen)`
			`{`
			`const char *itr = readbuf;`

			`- while (*itr) {`
			`+ while (readlen) {`
			`if (*itr == '\r') {`
			`switch (*state) {`
			`case HDR_STATE_GOT_CRLF:`
			`@@ -347,13 +348,17 @@`
			`break;`
			`}`
			`}`
			`- else {`
			`+ else if (itr == '\t' \|\| !apr_iscntrl(itr)) {`
			`*state = HDR_STATE_READING_HEADERS;`
			`}`
			`+ else {`
			`+ return -1;`
			`+ }`

			`if (*state == HDR_STATE_DONE_WITH_HEADERS)`
			`break;`

			`+ --readlen;`
			`++itr;`
			`}`

			`@@ -563,7 +568,14 @@`
			`APR_BRIGADE_INSERT_TAIL(ob, b);`

			`if (! seen_end_of_headers) {`
			`- int st = handle_headers(r, &header_state, iobuf);`
			`+ int st = handle_headers(r, &header_state, iobuf,`
			`+ readbuflen);`
			`+`
			`+ if (st == -1) {`
			`+ *err = "parsing response headers";`
			`+ rv = APR_EINVAL;`
			`+ break;`
			`+ }`

			`if (st == 1) {`
			`int status;`
			`@@ -684,6 +696,11 @@`
			`break;`
			`}`

			`+ if (*err) {`
			`+ /* stop on error in the above switch */`
			`+ break;`
			`+ }`
			`+`
			`if (plen) {`
			`rv = get_data_full(conn, iobuf, plen);`
			`if (rv != APR_SUCCESS) {`