Resolves: #2097459 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
This commit is contained in:
parent
7d7f7cade3
commit
9837c3578f
|
@ -0,0 +1,557 @@
|
|||
From db47781128e42bd49f55076665b3f6ca4e2bc5e2 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Wed, 1 Jun 2022 12:50:40 +0000
|
||||
Subject: [PATCH] Merge r1901506 from trunk:
|
||||
|
||||
limit mod_sed memory use
|
||||
|
||||
Resync mod_sed.c with trunk due to merge conflicts.
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901509 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/filters/mod_sed.c | 75 ++++++++----------
|
||||
modules/filters/sed1.c | 158 +++++++++++++++++++++++++++-----------
|
||||
2 files changed, 147 insertions(+), 86 deletions(-)
|
||||
|
||||
diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
|
||||
index 4bdb4ce33ae..12cb04a20f9 100644
|
||||
--- a/modules/filters/mod_sed.c
|
||||
+++ b/modules/filters/mod_sed.c
|
||||
@@ -59,7 +59,7 @@ typedef struct sed_filter_ctxt
|
||||
module AP_MODULE_DECLARE_DATA sed_module;
|
||||
|
||||
/* This function will be call back from libsed functions if there is any error
|
||||
- * happend during execution of sed scripts
|
||||
+ * happened during execution of sed scripts
|
||||
*/
|
||||
static apr_status_t log_sed_errf(void *data, const char *error)
|
||||
{
|
||||
@@ -277,7 +277,7 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
|
||||
apr_bucket_brigade *bb)
|
||||
{
|
||||
apr_bucket *b;
|
||||
- apr_status_t status;
|
||||
+ apr_status_t status = APR_SUCCESS;
|
||||
sed_config *cfg = ap_get_module_config(f->r->per_dir_config,
|
||||
&sed_module);
|
||||
sed_filter_ctxt *ctx = f->ctx;
|
||||
@@ -302,9 +302,9 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
|
||||
return status;
|
||||
ctx = f->ctx;
|
||||
apr_table_unset(f->r->headers_out, "Content-Length");
|
||||
- }
|
||||
|
||||
- ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
|
||||
+ ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
|
||||
+ }
|
||||
|
||||
/* Here is the main logic. Iterate through all the buckets, read the
|
||||
* content of the bucket, call sed_eval_buffer on the data.
|
||||
@@ -326,63 +326,52 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
|
||||
* in sed's internal buffer which can't be flushed until new line
|
||||
* character is arrived.
|
||||
*/
|
||||
- for (b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb);) {
|
||||
- const char *buf = NULL;
|
||||
- apr_size_t bytes = 0;
|
||||
+ while (!APR_BRIGADE_EMPTY(bb)) {
|
||||
+ b = APR_BRIGADE_FIRST(bb);
|
||||
if (APR_BUCKET_IS_EOS(b)) {
|
||||
- apr_bucket *b1 = APR_BUCKET_NEXT(b);
|
||||
/* Now clean up the internal sed buffer */
|
||||
sed_finalize_eval(&ctx->eval, ctx);
|
||||
status = flush_output_buffer(ctx);
|
||||
if (status != APR_SUCCESS) {
|
||||
- clear_ctxpool(ctx);
|
||||
- return status;
|
||||
+ break;
|
||||
}
|
||||
+ /* Move the eos bucket to ctx->bb brigade */
|
||||
APR_BUCKET_REMOVE(b);
|
||||
- /* Insert the eos bucket to ctx->bb brigade */
|
||||
APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
|
||||
- b = b1;
|
||||
}
|
||||
else if (APR_BUCKET_IS_FLUSH(b)) {
|
||||
- apr_bucket *b1 = APR_BUCKET_NEXT(b);
|
||||
- APR_BUCKET_REMOVE(b);
|
||||
status = flush_output_buffer(ctx);
|
||||
if (status != APR_SUCCESS) {
|
||||
- clear_ctxpool(ctx);
|
||||
- return status;
|
||||
+ break;
|
||||
}
|
||||
+ /* Move the flush bucket to ctx->bb brigade */
|
||||
+ APR_BUCKET_REMOVE(b);
|
||||
APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
|
||||
- b = b1;
|
||||
- }
|
||||
- else if (APR_BUCKET_IS_METADATA(b)) {
|
||||
- b = APR_BUCKET_NEXT(b);
|
||||
}
|
||||
- else if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
|
||||
- == APR_SUCCESS) {
|
||||
- apr_bucket *b1 = APR_BUCKET_NEXT(b);
|
||||
- status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
|
||||
- if (status != APR_SUCCESS) {
|
||||
- clear_ctxpool(ctx);
|
||||
- return status;
|
||||
+ else {
|
||||
+ if (!APR_BUCKET_IS_METADATA(b)) {
|
||||
+ const char *buf = NULL;
|
||||
+ apr_size_t bytes = 0;
|
||||
+
|
||||
+ status = apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ);
|
||||
+ if (status == APR_SUCCESS) {
|
||||
+ status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
|
||||
+ }
|
||||
+ if (status != APR_SUCCESS) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10394) "error evaluating sed on output");
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
- APR_BUCKET_REMOVE(b);
|
||||
apr_bucket_delete(b);
|
||||
- b = b1;
|
||||
- }
|
||||
- else {
|
||||
- apr_bucket *b1 = APR_BUCKET_NEXT(b);
|
||||
- APR_BUCKET_REMOVE(b);
|
||||
- b = b1;
|
||||
}
|
||||
}
|
||||
- apr_brigade_cleanup(bb);
|
||||
- status = flush_output_buffer(ctx);
|
||||
- if (status != APR_SUCCESS) {
|
||||
- clear_ctxpool(ctx);
|
||||
- return status;
|
||||
+ if (status == APR_SUCCESS) {
|
||||
+ status = flush_output_buffer(ctx);
|
||||
}
|
||||
if (!APR_BRIGADE_EMPTY(ctx->bb)) {
|
||||
- status = ap_pass_brigade(f->next, ctx->bb);
|
||||
+ if (status == APR_SUCCESS) {
|
||||
+ status = ap_pass_brigade(f->next, ctx->bb);
|
||||
+ }
|
||||
apr_brigade_cleanup(ctx->bb);
|
||||
}
|
||||
clear_ctxpool(ctx);
|
||||
@@ -433,7 +422,7 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
|
||||
* the buckets in bbinp and read the data from buckets and invoke
|
||||
* sed_eval_buffer on the data. libsed will generate its output using
|
||||
* sed_write_output which will add data in ctx->bb. Do it until it have
|
||||
- * atleast one bucket in ctx->bb. At the end of data eos bucket
|
||||
+ * at least one bucket in ctx->bb. At the end of data eos bucket
|
||||
* should be there.
|
||||
*
|
||||
* Once eos bucket is seen, then invoke sed_finalize_eval to clear the
|
||||
@@ -475,8 +464,10 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
|
||||
if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
|
||||
== APR_SUCCESS) {
|
||||
status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
|
||||
- if (status != APR_SUCCESS)
|
||||
+ if (status != APR_SUCCESS) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10395) "error evaluating sed on input");
|
||||
return status;
|
||||
+ }
|
||||
flush_output_buffer(ctx);
|
||||
}
|
||||
}
|
||||
diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
|
||||
index 67a8d06515e..047f49ba131 100644
|
||||
--- a/modules/filters/sed1.c
|
||||
+++ b/modules/filters/sed1.c
|
||||
@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
|
||||
}
|
||||
|
||||
#define INIT_BUF_SIZE 1024
|
||||
+#define MAX_BUF_SIZE 1024*8192
|
||||
|
||||
/*
|
||||
* grow_buffer
|
||||
*/
|
||||
-static void grow_buffer(apr_pool_t *pool, char **buffer,
|
||||
+static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer,
|
||||
char **spend, apr_size_t *cursize,
|
||||
apr_size_t newsize)
|
||||
{
|
||||
char* newbuffer = NULL;
|
||||
apr_size_t spendsize = 0;
|
||||
- if (*cursize >= newsize)
|
||||
- return;
|
||||
+ if (*cursize >= newsize) {
|
||||
+ return APR_SUCCESS;
|
||||
+ }
|
||||
/* Avoid number of times realloc is called. It could cause huge memory
|
||||
* requirement if line size is huge e.g 2 MB */
|
||||
if (newsize < *cursize * 2) {
|
||||
@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
|
||||
|
||||
/* Align it to 4 KB boundary */
|
||||
newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1);
|
||||
+ if (newsize > MAX_BUF_SIZE) {
|
||||
+ return APR_ENOMEM;
|
||||
+ }
|
||||
newbuffer = apr_pcalloc(pool, newsize);
|
||||
if (*spend && *buffer && (*cursize > 0)) {
|
||||
spendsize = *spend - *buffer;
|
||||
@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
|
||||
if (spend != buffer) {
|
||||
*spend = *buffer + spendsize;
|
||||
}
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* grow_line_buffer
|
||||
*/
|
||||
-static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
|
||||
+static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
|
||||
{
|
||||
- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
|
||||
+ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
|
||||
&eval->lsize, newsize);
|
||||
}
|
||||
|
||||
/*
|
||||
* grow_hold_buffer
|
||||
*/
|
||||
-static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
|
||||
+static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
|
||||
{
|
||||
- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
|
||||
+ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
|
||||
&eval->hsize, newsize);
|
||||
}
|
||||
|
||||
/*
|
||||
* grow_gen_buffer
|
||||
*/
|
||||
-static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
|
||||
+static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
|
||||
char **gspend)
|
||||
{
|
||||
+ apr_status_t rc = 0;
|
||||
if (gspend == NULL) {
|
||||
gspend = &eval->genbuf;
|
||||
}
|
||||
- grow_buffer(eval->pool, &eval->genbuf, gspend,
|
||||
- &eval->gsize, newsize);
|
||||
- eval->lcomend = &eval->genbuf[71];
|
||||
+ rc = grow_buffer(eval->pool, &eval->genbuf, gspend,
|
||||
+ &eval->gsize, newsize);
|
||||
+ if (rc == APR_SUCCESS) {
|
||||
+ eval->lcomend = &eval->genbuf[71];
|
||||
+ }
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/*
|
||||
* appendmem_to_linebuf
|
||||
*/
|
||||
-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
|
||||
+static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
|
||||
{
|
||||
+ apr_status_t rc = 0;
|
||||
apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
|
||||
if (eval->lsize < reqsize) {
|
||||
- grow_line_buffer(eval, reqsize);
|
||||
+ rc = grow_line_buffer(eval, reqsize);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
memcpy(eval->lspend, sz, len);
|
||||
eval->lspend += len;
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* append_to_linebuf
|
||||
*/
|
||||
-static void append_to_linebuf(sed_eval_t *eval, const char* sz,
|
||||
+static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz,
|
||||
step_vars_storage *step_vars)
|
||||
{
|
||||
apr_size_t len = strlen(sz);
|
||||
char *old_linebuf = eval->linebuf;
|
||||
+ apr_status_t rc = 0;
|
||||
/* Copy string including null character */
|
||||
- appendmem_to_linebuf(eval, sz, len + 1);
|
||||
+ rc = appendmem_to_linebuf(eval, sz, len + 1);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
--eval->lspend; /* lspend will now point to NULL character */
|
||||
/* Sync step_vars after a possible linebuf expansion */
|
||||
if (step_vars && old_linebuf != eval->linebuf) {
|
||||
@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz,
|
||||
step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
|
||||
}
|
||||
}
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_to_linebuf
|
||||
*/
|
||||
-static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
|
||||
+static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz,
|
||||
step_vars_storage *step_vars)
|
||||
{
|
||||
eval->lspend = eval->linebuf;
|
||||
- append_to_linebuf(eval, sz, step_vars);
|
||||
+ return append_to_linebuf(eval, sz, step_vars);
|
||||
}
|
||||
|
||||
/*
|
||||
* append_to_holdbuf
|
||||
*/
|
||||
-static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
|
||||
+static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz)
|
||||
{
|
||||
apr_size_t len = strlen(sz);
|
||||
apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
|
||||
+ apr_status_t rc = 0;
|
||||
if (eval->hsize <= reqsize) {
|
||||
- grow_hold_buffer(eval, reqsize);
|
||||
+ rc = grow_hold_buffer(eval, reqsize);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
memcpy(eval->hspend, sz, len + 1);
|
||||
/* hspend will now point to NULL character */
|
||||
eval->hspend += len;
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_to_holdbuf
|
||||
*/
|
||||
-static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
|
||||
+static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz)
|
||||
{
|
||||
eval->hspend = eval->holdbuf;
|
||||
- append_to_holdbuf(eval, sz);
|
||||
+ return append_to_holdbuf(eval, sz);
|
||||
}
|
||||
|
||||
/*
|
||||
* append_to_genbuf
|
||||
*/
|
||||
-static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
|
||||
+static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
|
||||
{
|
||||
apr_size_t len = strlen(sz);
|
||||
apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
|
||||
+ apr_status_t rc = 0;
|
||||
if (eval->gsize < reqsize) {
|
||||
- grow_gen_buffer(eval, reqsize, gspend);
|
||||
+ rc = grow_gen_buffer(eval, reqsize, gspend);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
memcpy(*gspend, sz, len + 1);
|
||||
/* *gspend will now point to NULL character */
|
||||
*gspend += len;
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* copy_to_genbuf
|
||||
*/
|
||||
-static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
|
||||
+static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz)
|
||||
{
|
||||
apr_size_t len = strlen(sz);
|
||||
apr_size_t reqsize = len + 1;
|
||||
+ apr_status_t rc = APR_SUCCESS;;
|
||||
if (eval->gsize < reqsize) {
|
||||
- grow_gen_buffer(eval, reqsize, NULL);
|
||||
+ rc = grow_gen_buffer(eval, reqsize, NULL);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
memcpy(eval->genbuf, sz, len + 1);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
|
||||
}
|
||||
|
||||
while (bufsz) {
|
||||
+ apr_status_t rc = 0;
|
||||
char *n;
|
||||
apr_size_t llen;
|
||||
|
||||
@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
|
||||
break;
|
||||
}
|
||||
|
||||
- appendmem_to_linebuf(eval, buf, llen + 1);
|
||||
+ rc = appendmem_to_linebuf(eval, buf, llen + 1);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
--eval->lspend;
|
||||
/* replace new line character with NULL */
|
||||
*eval->lspend = '\0';
|
||||
@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
|
||||
|
||||
/* Save the leftovers for later */
|
||||
if (bufsz) {
|
||||
- appendmem_to_linebuf(eval, buf, bufsz);
|
||||
+ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
|
||||
return APR_SUCCESS;
|
||||
@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
|
||||
/* Process leftovers */
|
||||
if (eval->lspend > eval->linebuf) {
|
||||
apr_status_t rv;
|
||||
+ apr_status_t rc = 0;
|
||||
|
||||
if (eval->lreadyflag) {
|
||||
eval->lreadyflag = 0;
|
||||
@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
|
||||
* buffer is not a newline.
|
||||
*/
|
||||
/* Assure space for NULL */
|
||||
- append_to_linebuf(eval, "", NULL);
|
||||
+ rc = append_to_linebuf(eval, "", NULL);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return rc;
|
||||
+ }
|
||||
}
|
||||
|
||||
*eval->lspend = '\0';
|
||||
@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
|
||||
sp = eval->genbuf;
|
||||
rp = rhsbuf;
|
||||
sp = place(eval, sp, lp, step_vars->loc1);
|
||||
+ if (sp == NULL) {
|
||||
+ return APR_EGENERAL;
|
||||
+ }
|
||||
while ((c = *rp++) != 0) {
|
||||
if (c == '&') {
|
||||
sp = place(eval, sp, step_vars->loc1, step_vars->loc2);
|
||||
- if (sp == NULL)
|
||||
+ if (sp == NULL) {
|
||||
return APR_EGENERAL;
|
||||
+ }
|
||||
}
|
||||
else if (c == '\\') {
|
||||
c = *rp++;
|
||||
@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
|
||||
*sp++ = c;
|
||||
if (sp >= eval->genbuf + eval->gsize) {
|
||||
/* expand genbuf and set the sp appropriately */
|
||||
- grow_gen_buffer(eval, eval->gsize + 1024, &sp);
|
||||
+ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp);
|
||||
+ if (rv != APR_SUCCESS) {
|
||||
+ return rv;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
lp = step_vars->loc2;
|
||||
step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
|
||||
- append_to_genbuf(eval, lp, &sp);
|
||||
- copy_to_linebuf(eval, eval->genbuf, step_vars);
|
||||
+ rv = append_to_genbuf(eval, lp, &sp);
|
||||
+ if (rv != APR_SUCCESS) {
|
||||
+ return rv;
|
||||
+ }
|
||||
+ rv = copy_to_linebuf(eval, eval->genbuf, step_vars);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
|
||||
apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
|
||||
|
||||
if (eval->gsize < reqsize) {
|
||||
- grow_gen_buffer(eval, reqsize, &sp);
|
||||
+ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
memcpy(sp, al1, n);
|
||||
return sp + n;
|
||||
@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
|
||||
}
|
||||
|
||||
p1++;
|
||||
- copy_to_linebuf(eval, p1, step_vars);
|
||||
+ rv = copy_to_linebuf(eval, p1, step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
eval->jflag++;
|
||||
break;
|
||||
|
||||
@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
|
||||
break;
|
||||
|
||||
case GCOM:
|
||||
- copy_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
break;
|
||||
|
||||
case CGCOM:
|
||||
- append_to_linebuf(eval, "\n", step_vars);
|
||||
- append_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
+ rv = append_to_linebuf(eval, "\n", step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
+ rv = append_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
break;
|
||||
|
||||
case HCOM:
|
||||
- copy_to_holdbuf(eval, eval->linebuf);
|
||||
+ rv = copy_to_holdbuf(eval, eval->linebuf);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
break;
|
||||
|
||||
case CHCOM:
|
||||
- append_to_holdbuf(eval, "\n");
|
||||
- append_to_holdbuf(eval, eval->linebuf);
|
||||
+ rv = append_to_holdbuf(eval, "\n");
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
+ rv = append_to_holdbuf(eval, eval->linebuf);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
break;
|
||||
|
||||
case ICOM:
|
||||
@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
|
||||
if (rv != APR_SUCCESS)
|
||||
return rv;
|
||||
}
|
||||
- append_to_linebuf(eval, "\n", step_vars);
|
||||
+ rv = append_to_linebuf(eval, "\n", step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
eval->pending = ipc->next;
|
||||
break;
|
||||
|
||||
@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
|
||||
break;
|
||||
|
||||
case XCOM:
|
||||
- copy_to_genbuf(eval, eval->linebuf);
|
||||
- copy_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
- copy_to_holdbuf(eval, eval->genbuf);
|
||||
+ rv = copy_to_genbuf(eval, eval->linebuf);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
+ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
+ rv = copy_to_holdbuf(eval, eval->genbuf);
|
||||
+ if (rv != APR_SUCCESS) return rv;
|
||||
break;
|
||||
|
||||
case YCOM:
|
|
@ -126,6 +126,8 @@ Patch202: httpd-2.4.53-CVE-2022-31813.patch
|
|||
Patch203: httpd-2.4.53-CVE-2022-28614.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2095012
|
||||
Patch204: httpd-2.4.53-CVE-2022-29404.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2095015
|
||||
Patch205: httpd-2.4.53-CVE-2022-30522.patch
|
||||
|
||||
License: ASL 2.0
|
||||
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
|
||||
|
@ -298,6 +300,7 @@ written in the Lua programming language.
|
|||
%patch202 -p1 -b .CVE-2022-31813
|
||||
%patch203 -p1 -b .CVE-2022-28614
|
||||
%patch204 -p1 -b .CVE-2022-29404
|
||||
%patch205 -p1 -b .CVE-2022-30522
|
||||
|
||||
# Patch in the vendor string
|
||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||
|
@ -866,6 +869,7 @@ exit $rv
|
|||
by hop-by-hop mechanism
|
||||
- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
|
||||
- Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
|
||||
- Resolves: #2097459 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
|
||||
|
||||
* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
|
||||
- Related: #2065677 - httpd minimisation for ubi-micro
|
||||
|
|
Loading…
Reference in New Issue