The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
Merge r1796350 from trunk:
short-circuit on NULL
Submitted By: jchampion
Reviewed By: jchampion, wrowe, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@
1799228 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.33
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
[Joe Orton]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) core: Terminate token processing on NULL.
- trunk patch: https://svn.apache.org/r1796350
- 2.2.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk .
- +1: jchampion, wrowe, ylavic
-
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error(). [Yann Ylavic]
trunk patch: https://svn.apache.org/r1796343
s = (const unsigned char *)line;
for (;;) {
- /* find start of token, skip all stop characters, note NUL
- * isn't a token stop, so we don't need to test for it
- */
- while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+ /* find start of token, skip all stop characters */
+ while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
++s;
}
if (!*s) {
projects / thirdparty / apache / httpd.git / commitdiff
