Receiving a negative content length from a remote server can cause

a buffer overflow in later code; reject connection if we receive an invalid
header.  CAN-2004-0492
PR:
Obtained from:
Submitted by: Mark Cox
Reviewed by: Joe Orton, Bill Stoddard, Jim Jagielski

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@103896 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index 008f7b1520cd965e070280544ad74a853088ef5d..048d214befaee173b5356d0405bac113704abea2 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.32
 
+  *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+     Reject responses from a remote server if sent an invalid (negative) 
+     Content-Length.  [Mark Cox]
+
   *) Fix a bunch of cases where the return code of the regex compiler
      was not checked properly. This affects mod_usertrack and
      core. PR 28218.  [André Malo]

diff --git a/src/modules/proxy/proxy_http.c b/src/modules/proxy/proxy_http.c
index 020f5c5b7d914fa23b2d5575265e7beb4fb9fc05..1a73a6541eeded80ca77f1a60c6f1ec5c84442d3 100644 (file)
--- a/src/modules/proxy/proxy_http.c
+++ b/src/modules/proxy/proxy_http.c
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
         content_length = ap_table_get(resp_hdrs, "Content-Length");
         if (content_length != NULL) {
             c->len = ap_strtol(content_length, NULL, 10);
+
+           if (c->len < 0) {
+               ap_kill_timeout(r);
+               return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+                                    "Invalid Content-Length from remote server",
+                                      NULL));
+           }
         }
 
     }