backport r791454 from 2.2.x branch:

SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects.  [Joe Orton, Ruediger Pluem]

Submitted by: jorton, rpluem
Reviewed by: pgollucci, poirier, rjung

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1001425 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 287b41540e59f3e8c4711f37dbda1a4f4653a70d..e25b671b83a8304713d6f11a3e0c40f2f145bb01 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2009-1891 (cve.mitre.org)
+     Fix a potential Denial-of-Service attack against mod_deflate or other 
+     modules, by forcing the server to consume CPU time in compressing a 
+     large file after a client disconnects.  PR 39605.
+     [Joe Orton, Ruediger Pluem]
+
   *) SECURITY: CVE-2009-3095 (cve.mitre.org)
      mod_proxy_ftp: sanity check authn credentials.
      [Stefan Fritsch <sf fritsch.de>, Joe Orton]

diff --git a/STATUS b/STATUS
index db9f8180389bb1c9a8a42dcd1cde3c107b8ce67e..5d2c68667d052b0c5498ffb34c3247cade714eae 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -122,14 +122,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * core output filter, CVE-2009-1891, consuming CPU after client disconnects
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?view=revision&revision=791454
-    Dan's patch posted last year for 2.0.x:
-      http://people.apache.org/~trawick/CVE-2009-1891-2.0-poirier.txt
-    +1: pgollucci, poirier, rjung
-      PG: whomever proposed this should vote for it
-
   * mod_ssl: Implement SSLInsecureRenegotiation
     Trunk version of patch:
       http://svn.apache.org/viewcvs.cgi?rev=906039&view=rev

diff --git a/server/core.c b/server/core.c
index ab5a426736ca30a3d217ac8f59011a05e8ba016f..a6b1b4e6fc769c97ed7df44786cfdf3a6cc60056 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -3969,6 +3969,12 @@ static apr_status_t core_output_filter(ap_filter_t *f, apr_bucket_brigade *b)
     apr_read_type_e eblock = APR_NONBLOCK_READ;
     apr_pool_t *input_pool = b->p;
 
+    /* Fail quickly if the connection has already been aborted. */
+    if (c->aborted) {
+        apr_brigade_cleanup(b);
+        return APR_ECONNABORTED;
+    }
+
     if (ctx == NULL) {
         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
         net->out_ctx = ctx;
@@ -4336,12 +4342,9 @@ static apr_status_t core_output_filter(ap_filter_t *f, apr_bucket_brigade *b)
             /* No need to check for SUCCESS, we did that above. */
             if (!APR_STATUS_IS_EAGAIN(rv)) {
                 c->aborted = 1;
+                return APR_ECONNABORTED;
             }
 
-            /* The client has aborted, but the request was successful. We
-             * will report success, and leave it to the access and error
-             * logs to note that the connection was aborted.
-             */
             return APR_SUCCESS;
         }