httpd/httpd-2.4.10-CVE-2014-3583.patch
Jan Kaluza af9996ce69 core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
- mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583)
- mod_lua: fix handling of the Require line when a LuaAuthzProvider is used
  in multiple Require directives with different arguments (CVE-2014-8109)
2014-12-17 09:25:50 +01:00

76 lines
2.1 KiB
Diff

--- a/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:32:12 1638817
+++ b/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:41:07 1638818
@@ -18,6 +18,8 @@
#include "util_fcgi.h"
#include "util_script.h"
+#include "apr_lib.h" /* for apr_iscntrl() */
+
module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
/*
@@ -310,13 +312,12 @@
*
* Returns 0 if it can't find the end of the headers, and 1 if it found the
* end of the headers. */
-static int handle_headers(request_rec *r,
- int *state,
- char *readbuf)
+static int handle_headers(request_rec *r, int *state,
+ const char *readbuf, apr_size_t readlen)
{
const char *itr = readbuf;
- while (*itr) {
+ while (readlen) {
if (*itr == '\r') {
switch (*state) {
case HDR_STATE_GOT_CRLF:
@@ -347,13 +348,17 @@
break;
}
}
- else {
+ else if (*itr == '\t' || !apr_iscntrl(*itr)) {
*state = HDR_STATE_READING_HEADERS;
}
+ else {
+ return -1;
+ }
if (*state == HDR_STATE_DONE_WITH_HEADERS)
break;
+ --readlen;
++itr;
}
@@ -563,7 +568,14 @@
APR_BRIGADE_INSERT_TAIL(ob, b);
if (! seen_end_of_headers) {
- int st = handle_headers(r, &header_state, iobuf);
+ int st = handle_headers(r, &header_state, iobuf,
+ readbuflen);
+
+ if (st == -1) {
+ *err = "parsing response headers";
+ rv = APR_EINVAL;
+ break;
+ }
if (st == 1) {
int status;
@@ -684,6 +696,11 @@
break;
}
+ if (*err) {
+ /* stop on error in the above switch */
+ break;
+ }
+
if (plen) {
rv = get_data_full(conn, iobuf, plen);
if (rv != APR_SUCCESS) {