SECURITY: CVE-2009-1891 (cve.mitre.org)

Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

Submitted by: jorton, rpluem
Reviewed by:  jim, trawick

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@791454 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b0b4d41488f40a0517ea8c350256236f7c936993..d12c9d7872ddfd60a3b555940c8a7aa9171e7578 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.12
 
+  *) SECURITY: CVE-2009-1891 (cve.mitre.org)
+     Fix a potential Denial-of-Service attack against mod_deflate or other 
+     modules, by forcing the server to consume CPU time in compressing a 
+     large file after a client disconnects.  [Joe Orton, Ruediger Pluem]
+
   *) SECURITY: CVE-2009-1195 (cve.mitre.org)
      Prevent the "Includes" Option from being enabled in an .htaccess 
      file if the AllowOverride restrictions do not permit it.

diff --git a/STATUS b/STATUS
index 3a1b57d05a7467bf33bfc6bd0d5e3511a41fac25..20dc249f254d45f3b6d2db2e9940925ede39735d 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -85,27 +85,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * SECURITY: CVE-2009-1891 (cve.mitre.org)
-   Fix a potential Denial-of-Service attack against mod_deflate or
-   other modules, by forcing the server to consume CPU time in
-   compressing a large file after a client disconnects.
-   2.2.x patches:
-     http://people.apache.org/~jorton/CVE-2009-1891.1.diff
-     http://people.apache.org/~jorton/CVE-2009-1891.2.diff
-   Trunk version of patch:
-     #1 folded in during core output filter refactoring
-     #2 http://svn.apache.org/viewvc?view=rev&revision=521681
-   +1: jorton, jim, rpluem
-   rpluem asks: Are we sure that b is never NULL?
-   Otherwise we would need to add
-   http://svn.apache.org/viewvc?view=rev&revision=568202
-   as on trunk to avoid segfaults.
-   trawick responds: if b were NULL, we would have segfaulted earlier
-     when ap_pass_brigade "calls" APR_BRIGADE_LAST(bb)
-   rpluem: Ahh good point. Meanwhile I had a look at trunk and the
-   event MPM is calling the core output filter directly without
-   ap_pass_brigade. So I am +1.
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/server/core_filters.c b/server/core_filters.c
index acbe1901105be44cef3bb9a3d865fa7a64b3d362..c2ebe981c8f77c7fc602a155814883b2cec2845e 100644 (file)
--- a/server/core_filters.c
+++ b/server/core_filters.c
@@ -542,6 +542,12 @@ apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b)
     apr_read_type_e eblock = APR_NONBLOCK_READ;
     apr_pool_t *input_pool = b->p;
 
+    /* Fail quickly if the connection has already been aborted. */
+    if (c->aborted) {
+        apr_brigade_cleanup(b);
+        return APR_ECONNABORTED;
+    }
+
     if (ctx == NULL) {
         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
         net->out_ctx = ctx;
@@ -909,12 +915,9 @@ apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b)
             /* No need to check for SUCCESS, we did that above. */
             if (!APR_STATUS_IS_EAGAIN(rv)) {
                 c->aborted = 1;
+                return APR_ECONNABORTED;
             }
 
-            /* The client has aborted, but the request was successful. We
-             * will report success, and leave it to the access and error
-             * logs to note that the connection was aborted.
-             */
             return APR_SUCCESS;
         }