From 7d7f7cade3d10babaed40d23b28e74297d0f35a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 21 Jul 2022 18:14:08 +0200
Subject: [PATCH] Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in
 r:parsebody

---
 httpd-2.4.53-CVE-2022-29404.patch | 126 ++++++++++++++++++++++++++++++
 httpd.spec                        |   4 +
 2 files changed, 130 insertions(+)
 create mode 100644 httpd-2.4.53-CVE-2022-29404.patch

diff --git a/httpd-2.4.53-CVE-2022-29404.patch b/httpd-2.4.53-CVE-2022-29404.patch
new file mode 100644
index 0000000..df4f70f
--- /dev/null
+++ b/httpd-2.4.53-CVE-2022-29404.patch
@@ -0,0 +1,126 @@
+diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en
+index bb6b90a..d14aed4 100644
+--- a/docs/manual/mod/core.html.en
++++ b/docs/manual/mod/core.html.en
+@@ -2796,16 +2796,16 @@ subrequests</td></tr>
+ <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Restricts the total size of the HTTP request body sent
+ from the client</td></tr>
+ <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LimitRequestBody <var>bytes</var></code></td></tr>
+-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LimitRequestBody 0</code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LimitRequestBody 1073741824</code></td></tr>
+ <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+ <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>All</td></tr>
+ <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Core</td></tr>
+ <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>core</td></tr>
++<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>In Apache HTTP Server 2.4.53 and earlier, the default value
++    was 0 (unlimited)</td></tr>
+ </table>
+-    <p>This directive specifies the number of <var>bytes</var> from 0
+-    (meaning unlimited) to 2147483647 (2GB) that are allowed in a
+-    request body. See the note below for the limited applicability
+-    to proxy requests.</p>
++    <p>This directive specifies the number of <var>bytes</var>
++    that are allowed in a request body. A value of <var>0</var> means unlimited.</p>
+ 
+     <p>The <code class="directive">LimitRequestBody</code> directive allows
+     the user to set a limit on the allowed size of an HTTP request
+@@ -2831,12 +2831,6 @@ from the client</td></tr>
+ 
+     <pre class="prettyprint lang-config">LimitRequestBody 102400</pre>
+ 
+-
+-    <div class="note"><p>For a full description of how this directive is interpreted by
+-    proxy requests, see the <code class="module"><a href="../mod/mod_proxy.html">mod_proxy</a></code> documentation.</p>
+-    </div>
+-
+-
+ </div>
+ <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="directive-section"><h2><a name="LimitRequestFields" id="LimitRequestFields">LimitRequestFields</a> <a name="limitrequestfields" id="limitrequestfields">Directive</a></h2>
+diff --git a/docs/manual/mod/mod_proxy.html.en b/docs/manual/mod/mod_proxy.html.en
+index ee7b1e3..233d234 100644
+--- a/docs/manual/mod/mod_proxy.html.en
++++ b/docs/manual/mod/mod_proxy.html.en
+@@ -463,9 +463,6 @@ ProxyPass "/examples" "http://backend.example.com/examples" timeout=10</pre>
+     Content-Length header, but the server is configured to filter incoming
+     request bodies.</p>
+ 
+-    <p><code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code> only applies to
+-    request bodies that the server will spool to disk</p>
+-
+     </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="section">
+ <h2><a name="x-headers" id="x-headers">Reverse Proxy Request Headers</a></h2>
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index 43e8c6d..33c78f3 100644
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1703,6 +1703,7 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
+ {
+     const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+     const char *lenp = apr_table_get(r->headers_in, "Content-Length");
++    apr_off_t limit_req_body = ap_get_limit_req_body(r);
+ 
+     r->read_body = read_policy;
+     r->read_chunked = 0;
+@@ -1738,6 +1739,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
+         return HTTP_REQUEST_ENTITY_TOO_LARGE;
+     }
+ 
++    if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
++        /* will be logged when the body is discarded */
++        return HTTP_REQUEST_ENTITY_TOO_LARGE;
++    }
++
+ #ifdef AP_DEBUG
+     {
+         /* Make sure ap_getline() didn't leave any droppings. */
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index bc86253..85f2f9c 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -4260,13 +4260,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
+     apr_bucket *e;
+     apr_off_t bytes, fsize = 0;
+     apr_file_t *tmpfile = NULL;
+-    apr_off_t limit;
+ 
+     *bytes_spooled = 0;
+     body_brigade = apr_brigade_create(p, bucket_alloc);
+ 
+-    limit = ap_get_limit_req_body(r);
+-
+     do {
+         if (APR_BRIGADE_EMPTY(input_brigade)) {
+             rv = ap_proxy_read_input(r, backend, input_brigade,
+@@ -4284,17 +4281,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
+         apr_brigade_length(input_brigade, 1, &bytes);
+ 
+         if (*bytes_spooled + bytes > max_mem_spool) {
+-            /*
+-             * LimitRequestBody does not affect Proxy requests (Should it?).
+-             * Let it take effect if we decide to store the body in a
+-             * temporary file on disk.
+-             */
+-            if (limit && (*bytes_spooled + bytes > limit)) {
+-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
+-                              "Request body is larger than the configured "
+-                              "limit of %" APR_OFF_T_FMT, limit);
+-                return HTTP_REQUEST_ENTITY_TOO_LARGE;
+-            }
+             /* can't spool any more in memory; write latest brigade to disk */
+             if (tmpfile == NULL) {
+                 const char *temp_dir;
+diff --git a/server/core.c b/server/core.c
+index 3d44e0e..682259f 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -71,7 +71,7 @@
+ 
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
+-#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
++#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */
+ 
+ /* LimitXMLRequestBody handling */
+ #define AP_LIMIT_UNSET                  ((long) -1)
diff --git a/httpd.spec b/httpd.spec
index 0059187..a21f465 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -124,6 +124,8 @@ Patch201: httpd-2.4.53-CVE-2022-28615.patch
 Patch202: httpd-2.4.53-CVE-2022-31813.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095002
 Patch203: httpd-2.4.53-CVE-2022-28614.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2095012
+Patch204: httpd-2.4.53-CVE-2022-29404.patch
 
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -295,6 +297,7 @@ written in the Lua programming language.
 %patch201 -p1 -b .CVE-2022-28615
 %patch202 -p1 -b .CVE-2022-31813
 %patch203 -p1 -b .CVE-2022-28614
+%patch204 -p1 -b .CVE-2022-29404
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -862,6 +865,7 @@ exit $rv
 - Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
   by hop-by-hop mechanism
 - Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
+- Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
 
 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
 - Related: #2065677 - httpd minimisation for ubi-micro