summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorJoe Orton <jorton@apache.org>2009-07-02 15:41:18 +0200
committerJoe Orton <jorton@apache.org>2009-07-02 15:41:18 +0200
commitb5c7491d6712fcbec142ea9d2c0a870b831d6c99 (patch)
tree0bd8d9d8094dbdb56d9942c154b392ec8c965d17 /modules
parentmod_noloris just moved from discussion to attracting its first patch (diff)
downloadapache2-b5c7491d6712fcbec142ea9d2c0a870b831d6c99.tar.xz
apache2-b5c7491d6712fcbec142ea9d2c0a870b831d6c99.zip
Security fix for CVE-2009-1890:
* modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Specify the base passed to apr_strtoff, and validate the Content-Length in the same way the HTTP_IN filter does. If the number of bytes streamed exceeds the expected body length, bail out of the loop. Thanks to: Toadie <toadie643 gmail.com> for reporting and diagnosis of this issue. Submitted by: niq, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@790587 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
-rw-r--r--modules/proxy/mod_proxy_http.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index bc59aadc3d..bdfe594d69 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -427,10 +427,16 @@ static int stream_reqbody_cl(apr_pool_t *p,
apr_off_t bytes_streamed = 0;
if (old_cl_val) {
+ char *endstr;
+
add_cl(p, bucket_alloc, header_brigade, old_cl_val);
- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
- 0))) {
- return HTTP_INTERNAL_SERVER_ERROR;
+ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
+
+ if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "proxy: could not parse request Content-Length (%s)",
+ old_cl_val);
+ return HTTP_BAD_REQUEST;
}
}
terminate_headers(bucket_alloc, header_brigade);
@@ -463,8 +469,13 @@ static int stream_reqbody_cl(apr_pool_t *p,
*
* Prevents HTTP Response Splitting.
*/
- if (bytes_streamed > cl_val)
- continue;
+ if (bytes_streamed > cl_val) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "proxy: read more bytes of request body than expected "
+ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
+ bytes_streamed, cl_val);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
if (header_brigade) {
/* we never sent the header brigade, so go ahead and