Merge r383339 from trunk:

* Crosscheck the length of the body chunk with the length of the ajp message
  to prevent readings beyond the buffer boundaries which possibly could reveal
  sensitive memory contents to the client.

Submitted by: rpluem
Reviewed by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@390181 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 54ff37fbf4735365c284454699e565fc6db608c1..04dcbd649a066ed8e219b5673f2a7814a7e328d4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.1
 
+  *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
+     the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
+     boundaries and thus revealing possibly sensitive memory contents to the
+     client. [Ruediger Pluem]
+
   *) Ensure that the proper status line is written to the client, fixing
      incorrect status lines caused by filters which modify r->status without 
      resetting r->status_line, such as the built-in byterange filter.

diff --git a/STATUS b/STATUS
index b39b989a61639ce35ba816b7ef5a5bfc4f388f33..18b2e55581ef2c45e6678d0ab74f4b21553ca4c8 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -143,15 +143,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
          Trunk version of patch works
       +1: rpluem, jim, pquerna
 
-    * mod_proxy_ajp: Crosscheck the length of the body chunk with the length
-      of the ajp message to prevent readings beyond the buffer boundaries
-      which possibly could reveal sensitive memory contents to the client.
-      Trunk version of patch:
-         http://svn.apache.org/viewcvs?rev=383339&view=rev
-      Backport version for 2.2.x of patch:
-         Trunk version of patch works
-      +1: rpluem, pquerna, jim
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
 
     * mod_dbd: When threaded, create a private pool in child_init

diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 6b2d6715077c1bd6c29263c62caab39a4e481690..49ee13ea97209d5598f221dda8e9fdb0521b6497 100644 (file)
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -682,6 +682,7 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
 {
     apr_byte_t result;
     apr_status_t rc;
+    apr_uint16_t expected_len;
 
     rc = ajp_msg_get_uint8(msg, &result);
     if (rc != APR_SUCCESS) {
@@ -698,6 +699,23 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
     if (rc != APR_SUCCESS) {
         return rc;
     }
+    /*
+     * msg->len contains the complete length of the message including all
+     * headers. So the expected length for a CMD_AJP13_SEND_BODY_CHUNK is
+     * msg->len minus the sum of
+     * AJP_HEADER_LEN    : The length of the header to every AJP message.
+     * AJP_HEADER_SZ_LEN : The header giving the size of the chunk.
+     * 1                 : The CMD_AJP13_SEND_BODY_CHUNK indicator byte (0x03).
+     * 1                 : The last byte of this message always seems to be
+     *                     0x00 and is not part of the chunk.
+     */
+    expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+    if (*len != expected_len) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+               "ajp_parse_data: Wrong chunk length. Length of chunk is %i,"
+               " expected length is %i.", *len, expected_len);
+        return AJP_EBAD_HEADER;
+    }
     *ptr = (char *)&(msg->buf[msg->pos]);
     return APR_SUCCESS;
 }