From: Ruediger Pluem Date: Thu, 1 Sep 2011 10:25:45 +0000 (+0000) Subject: * Fix a regression in the CVE-2011-3192 byterange fix: X-Git-Tag: 2.3.15~307 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7c14f473fc0b925e377fea9c7b79f82ece0c23b;p=thirdparty%2Fapache%2Fhttpd.git * Fix a regression in the CVE-2011-3192 byterange fix: Range: bytes=-1 Resulted in the first two bytes delivered, not in the last one. PR: 51748 Submitted by: low_priority Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1163985 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5dd40d6d7a3..86c1af7ee1d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,15 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) Fix a regression in the CVE-2011-3192 byterange fix. + PR 51748. [low_priority ] + + *) SECURITY: CVE-2011-3192 (cve.mitre.org) + core: Fix handling of byte-range requests to use less memory, to avoid + denial of service. If the sum of all ranges in a request is larger than + the original file, ignore the ranges and send the complete file. + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] + *) core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener] diff --git a/modules/http/byterange_filter.c b/modules/http/byterange_filter.c index 7fe003e3ff7..18b31223664 100644 --- a/modules/http/byterange_filter.c +++ b/modules/http/byterange_filter.c @@ -544,7 +544,7 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength, return 0; } - if (dash == range) { + if (dash == cur) { /* In the form "-5" */ if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) { return 0;