Merge r1666361 from trunk:

Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0".  PR55420
Submitted by: jailletc36
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670319 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 161ae68f9d626f330a5c01032fc8138a79b9d2f1..b213ab2b5601827cdda192e61cdcffdc8969d68b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,13 @@ Changes with Apache 2.4.13
      calls r:wsupgrade() can cause a child process crash. 
      [Edward Lu <Chaosed0 gmail.com>]
 
+  *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+     back to a client. The answer to a LOCK request could be an extremly large
+     integer if the time needed to lock the resource was longer that the
+     requested timeout given in the LOCK request. In such a case, we now answer
+     "Second-0".  PR55420
+     [Christophe Jaillet]
+
   *) mod_cgid: Within the first minute of a server start or restart, 
      allow mod_cgid to retry connecting to its daemon process. Previously,
      'No such file or directory: unable to connect to cgi daemon...' could

diff --git a/STATUS b/STATUS
index aed46e12568027614bd041cd75818582729f8635..270db57d171aedd3bc7d9f3226ea75130ed94f05 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -106,11 +106,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
-     back to a client. PR 55420
-     trunk patch: http://svn.apache.org/r1666361
-     2.4.x patch: trunk works (modulo CHANGES)
-     +1: jailletc36, ylavic, covener
 
   *) core: Add expression support to ErrorDocument. Switch from a fixed
      sized 664 byte array per merge to a hash table.
@@ -129,11 +124,10 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      trunk patch: http://svn.apache.org/r1609680
                   http://svn.apache.org/r1609688
                   http://svn.apache.org/r1641381
-     2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch
-     +1: ylavic
-     -1: jim (does not cleanly apply)
      ylavic: Merge patch provided (reusing new->real to avoid double de_socketfy() call).
              Also added missing r1609688 to the patchset.
+     2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch
+     +1: ylavic
 
    * mod_buffer: Forward flushed input data immediately and avoid (unlikely)
                  access to freed memory.

diff --git a/modules/dav/main/util_lock.c b/modules/dav/main/util_lock.c
index 6ff70efbe2fe35ce967271ed3b3a1447cb1ac8fb..1b3a6479826eb6fc6b2e7a5213e65c14779f22ae 100644 (file)
--- a/modules/dav/main/util_lock.c
+++ b/modules/dav/main/util_lock.c
@@ -133,8 +133,18 @@ DAV_DECLARE(const char *) dav_lock_get_activelock(request_rec *r,
         }
         else {
             time_t now = time(NULL);
-            apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now));
-            dav_buffer_append(p, pbuf, tmp);
+            
+            /*
+            ** Check if the timeout is not, for any reason, already elapsed.
+            ** (e.g., because of a large collection, or disk under heavy load...)
+             */
+            if (now >= lock->timeout) {
+                dav_buffer_append(p, pbuf, "Second-0");
+            }
+            else {
+                apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now));
+                dav_buffer_append(p, pbuf, tmp);
+            }
         }
 
         dav_buffer_append(p, pbuf,