Merge r953377,r953385,r953418 from trunk:

mod_proxy_http, mod_proxy_ajp, mod_reqtimeout:
Use APR_STATUS_IS_TIMEUP instead of direct compare
to APR_TIMEUP to be more safe on different platforms.

Note: This commit has an additional, platform-independent change to
mod_proxy_http.c to mark the back-end connection for closing
("backend->close = 1;").  That code is not required to resolve
CVE-2010-2068 on any platform.

PR: 49417
Addresses CVE-2010-2068 (changes to mod_proxy_http.c)
Submitted by: rjung, rpluem
Reviewed by: rjung, rpluem, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@953616 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 43161640208bb157fca88163bb29af02a98986e4..ed23d5122c843b4aebf13b429556b8cefa23a187 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.16
 
+  *) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
+     for platforms Windows, Netware and OS2. [Rainer Jung]
+
   *) mod_ssl: Fix segfault at startup if proxy client certs are shared
      across multiple vhosts.  PR 39915.  [Joe Orton]
 

diff --git a/STATUS b/STATUS
index 463350fe686d82109b3a3f0c93e8d9acf55ff9e7..ba6291d6e417c308280016cafa06719b6648c997 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -132,14 +132,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
    +1: niq, pgollucci
    +1: rbowen - After much debate on IRC, we've agreed on FallbackResource as being the right name for this.
 
- * mod_proxy_http, mod_proxy_ajp, mod_reqtimeout: Use APR_STATUS_IS_TIMEUP
-   instead of direct compare to APR_TIMEUP to be more safe on different platforms.
-   Backport from trunk of http://svn.apache.org/viewvc?rev=953418&view=rev
-                          http://svn.apache.org/viewvc?rev=953385&view=rev
-                          http://svn.apache.org/viewvc?rev=953377&view=rev
-   +1: rjung, wrowe, rpluem
-   -1: 
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/modules/filters/mod_reqtimeout.c b/modules/filters/mod_reqtimeout.c
index 215a04c0f817ff7bd463f71c1e0c02e17763bd6a..4aec0fcdcf05b01019067f21783244e4ef463a76 100644 (file)
--- a/modules/filters/mod_reqtimeout.c
+++ b/modules/filters/mod_reqtimeout.c
@@ -155,7 +155,7 @@ static apr_status_t reqtimeout_filter(ap_filter_t *f,
         extend_timeout(ccfg, bb);
     }
 
-    if (rv == APR_TIMEUP) {
+    if (APR_STATUS_IS_TIMEUP(rv)) {
         ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
                       "Request %s read timeout", ccfg->type);
     }

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index fa8c41f814a8833d382c1909d797f4dccde672db..974251851374656cb8d1d5d6abc3bb021b285606 100644 (file)
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -450,15 +450,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
                         }
                     }
                     else {
+                        apr_status_t rv;
+
                         e = apr_bucket_transient_create(send_body_chunk_buff, size,
                                                     r->connection->bucket_alloc);
                         APR_BRIGADE_INSERT_TAIL(output_brigade, e);
 
                         if ((conn->worker->flush_packets == flush_on) ||
                             ((conn->worker->flush_packets == flush_auto) &&
-                            (apr_poll(conn_poll, 1, &conn_poll_fd,
-                                      conn->worker->flush_wait)
-                                        == APR_TIMEUP) ) ) {
+                            ((rv = apr_poll(conn_poll, 1, &conn_poll_fd,
+                                             conn->worker->flush_wait))
+                                             != APR_SUCCESS) &&
+                              APR_STATUS_IS_TIMEUP(rv))) {
                             e = apr_bucket_flush_create(r->connection->bucket_alloc);
                             APR_BRIGADE_INSERT_TAIL(output_brigade, e);
                         }

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 555a3b81404d09ee0c56e171b9424fe6e481797e..83d4e23a415da6ce3f17f7f1db875495b0496009 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1401,7 +1401,7 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
             ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
                           "proxy: error reading status line from remote "
                           "server %s:%d", backend->hostname, backend->port);
-            if (rc == APR_TIMEUP) {
+            if (APR_STATUS_IS_TIMEUP(rc)) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "proxy: read timeout");
             }
@@ -1417,7 +1417,7 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
              * we normally would handle timeouts
              */
             if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
-                rc != APR_TIMEUP) {
+                !APR_STATUS_IS_TIMEUP(rc)) {
                 apr_bucket *eos;
 
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1449,6 +1449,8 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
                     APR_BUCKET_INSERT_BEFORE(eos, e);
                 }
                 ap_pass_brigade(r->output_filters, bb);
+                /* Mark the backend connection for closing */
+                backend->close = 1;
                 /* Need to return OK to avoid sending an error message */
                 return OK;
             }