From: Jim Jagielski Date: Tue, 31 Mar 2015 12:48:27 +0000 (+0000) Subject: Merge r1666361 from trunk: X-Git-Tag: 2.4.13~298 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51c7e660b69e8b0f5a9a070924bbcbbfd5b3f7c2;p=thirdparty%2Fapache%2Fhttpd.git Merge r1666361 from trunk: Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0". PR55420 Submitted by: jailletc36 Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670319 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 161ae68f9d6..b213ab2b560 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,13 @@ Changes with Apache 2.4.13 calls r:wsupgrade() can cause a child process crash. [Edward Lu ] + *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent + back to a client. The answer to a LOCK request could be an extremly large + integer if the time needed to lock the resource was longer that the + requested timeout given in the LOCK request. In such a case, we now answer + "Second-0". PR55420 + [Christophe Jaillet] + *) mod_cgid: Within the first minute of a server start or restart, allow mod_cgid to retry connecting to its daemon process. Previously, 'No such file or directory: unable to connect to cgi daemon...' could diff --git a/STATUS b/STATUS index aed46e12568..270db57d171 100644 --- a/STATUS +++ b/STATUS @@ -106,11 +106,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent - back to a client. PR 55420 - trunk patch: http://svn.apache.org/r1666361 - 2.4.x patch: trunk works (modulo CHANGES) - +1: jailletc36, ylavic, covener *) core: Add expression support to ErrorDocument. Switch from a fixed sized 664 byte array per merge to a hash table. @@ -129,11 +124,10 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: trunk patch: http://svn.apache.org/r1609680 http://svn.apache.org/r1609688 http://svn.apache.org/r1641381 - 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch - +1: ylavic - -1: jim (does not cleanly apply) ylavic: Merge patch provided (reusing new->real to avoid double de_socketfy() call). Also added missing r1609688 to the patchset. + 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch + +1: ylavic * mod_buffer: Forward flushed input data immediately and avoid (unlikely) access to freed memory. diff --git a/modules/dav/main/util_lock.c b/modules/dav/main/util_lock.c index 6ff70efbe2f..1b3a6479826 100644 --- a/modules/dav/main/util_lock.c +++ b/modules/dav/main/util_lock.c @@ -133,8 +133,18 @@ DAV_DECLARE(const char *) dav_lock_get_activelock(request_rec *r, } else { time_t now = time(NULL); - apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now)); - dav_buffer_append(p, pbuf, tmp); + + /* + ** Check if the timeout is not, for any reason, already elapsed. + ** (e.g., because of a large collection, or disk under heavy load...) + */ + if (now >= lock->timeout) { + dav_buffer_append(p, pbuf, "Second-0"); + } + else { + apr_snprintf(tmp, sizeof(tmp), "Second-%lu", (long unsigned int)(lock->timeout - now)); + dav_buffer_append(p, pbuf, tmp); + } } dav_buffer_append(p, pbuf,