From: Jim Jagielski Date: Tue, 17 May 2022 18:14:29 +0000 (+0000) Subject: Merge r1900335 from trunk: X-Git-Tag: 2.4.54-rc1-candidate~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0befd97dfe19e23921b4cc5412d6177f2cab6aac;p=thirdparty%2Fapache%2Fhttpd.git Merge r1900335 from trunk: Harden mod_session and avoid overflow in case of indecently large session Submitted by: jailletc36 Reviewed by: jailletc36, rpluem, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901008 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index c8f8864f457..a962ef4b7ac 100644 --- a/STATUS +++ b/STATUS @@ -163,13 +163,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: ylavic: I think "extra" should be an apr_size_t. icing: added r1899905 with the proposed changes and assertions. - *) mod_session: Harden mod_session and avoid overflow in case of indecently large - session - trunk patches: https://svn.apache.org/r1900335 - 2.4.x patches: svn merge -c 1900335 ^/httpd/httpd/trunk . - +1: jailletc36, rpluem, ylavic - - *) mod_http2: remove unscheduling of ongoing tasks when client behaviour triggers mood change. Fixes https://github.com/icing/mod_h2/issues/231 Trunk version of patch: n.a. diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c index ec4ac2e556f..fa8d40666fd 100644 --- a/modules/session/mod_session.c +++ b/modules/session/mod_session.c @@ -317,7 +317,8 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, static int identity_count(void *v, const char *key, const char *val) { - int *count = v; + apr_size_t *count = v; + *count += strlen(key) * 3 + strlen(val) * 3 + 2; return 1; } @@ -325,7 +326,8 @@ static int identity_count(void *v, const char *key, const char *val) static int identity_concat(void *v, const char *key, const char *val) { char *slider = v; - int length = strlen(slider); + apr_size_t length = strlen(slider); + slider += length; if (length) { *slider = '&'; @@ -355,7 +357,8 @@ static int identity_concat(void *v, const char *key, const char *val) static apr_status_t session_identity_encode(request_rec * r, session_rec * z) { char *buffer = NULL; - int length = 0; + apr_size_t length = 0; + if (z->expiry) { char *expiry = apr_psprintf(z->pool, "%" APR_INT64_T_FMT, z->expiry); apr_table_setn(z->entries, SESSION_EXPIRY, expiry);