af9996ce69
- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581) - mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583) - mod_lua: fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments (CVE-2014-8109)
76 lines
2.1 KiB
Diff
76 lines
2.1 KiB
Diff
--- a/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:32:12 1638817
|
|
+++ b/modules/proxy/mod_proxy_fcgi.c 2014/11/12 15:41:07 1638818
|
|
@@ -18,6 +18,8 @@
|
|
#include "util_fcgi.h"
|
|
#include "util_script.h"
|
|
|
|
+#include "apr_lib.h" /* for apr_iscntrl() */
|
|
+
|
|
module AP_MODULE_DECLARE_DATA proxy_fcgi_module;
|
|
|
|
/*
|
|
@@ -310,13 +312,12 @@
|
|
*
|
|
* Returns 0 if it can't find the end of the headers, and 1 if it found the
|
|
* end of the headers. */
|
|
-static int handle_headers(request_rec *r,
|
|
- int *state,
|
|
- char *readbuf)
|
|
+static int handle_headers(request_rec *r, int *state,
|
|
+ const char *readbuf, apr_size_t readlen)
|
|
{
|
|
const char *itr = readbuf;
|
|
|
|
- while (*itr) {
|
|
+ while (readlen) {
|
|
if (*itr == '\r') {
|
|
switch (*state) {
|
|
case HDR_STATE_GOT_CRLF:
|
|
@@ -347,13 +348,17 @@
|
|
break;
|
|
}
|
|
}
|
|
- else {
|
|
+ else if (*itr == '\t' || !apr_iscntrl(*itr)) {
|
|
*state = HDR_STATE_READING_HEADERS;
|
|
}
|
|
+ else {
|
|
+ return -1;
|
|
+ }
|
|
|
|
if (*state == HDR_STATE_DONE_WITH_HEADERS)
|
|
break;
|
|
|
|
+ --readlen;
|
|
++itr;
|
|
}
|
|
|
|
@@ -563,7 +568,14 @@
|
|
APR_BRIGADE_INSERT_TAIL(ob, b);
|
|
|
|
if (! seen_end_of_headers) {
|
|
- int st = handle_headers(r, &header_state, iobuf);
|
|
+ int st = handle_headers(r, &header_state, iobuf,
|
|
+ readbuflen);
|
|
+
|
|
+ if (st == -1) {
|
|
+ *err = "parsing response headers";
|
|
+ rv = APR_EINVAL;
|
|
+ break;
|
|
+ }
|
|
|
|
if (st == 1) {
|
|
int status;
|
|
@@ -684,6 +696,11 @@
|
|
break;
|
|
}
|
|
|
|
+ if (*err) {
|
|
+ /* stop on error in the above switch */
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (plen) {
|
|
rv = get_data_full(conn, iobuf, plen);
|
|
if (rv != APR_SUCCESS) {
|