From: Colm MacCarthaigh <colm@apache.org>
Date: Thu, 7 Jan 2010 10:28:00 +0000 (+0000)
Subject: Commit fix for CVE-2010-0010, an integer overflow on platforms where
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55706ab085a9b2fb574737a32882fd8a6eabece9;p=thirdparty%2Fapache%2Fhttpd.git

Commit fix for CVE-2010-0010, an integer overflow on platforms where
sizeof(int) < sizeof(long) due to inappapriate casting;

    * Change "MIN( (int) a, (int) b)" to "(int) MIN(a, b)". As 'a' is the buffer
      size, it will be smaller than any long which overflows an int.

    * More generally - change ap_bread and ap_bwrite to defend against a negative
      length argument in general. Return -1 if one is passed.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@896842 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index bf42c7c06d5..1bde6929dd1 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.42
 
+  *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+     mod_proxy: Prevent chunk-size integer overflow on platforms 
+     where sizeof(int) < sizeof(long). Reported by Adam Zabrocki. 
+     [Colm MacCárthaigh]
+ 
   *) IMPORTANT: This is the final release of Apache httpd 1.3.
      Apache httpd 1.3 has reached end of life, as of January 2010.
      No further releases of this software will be made, although critical
diff --git a/src/main/buff.c b/src/main/buff.c
index 2da1d601856..acd586f2e79 100644
--- a/src/main/buff.c
+++ b/src/main/buff.c
@@ -737,7 +737,7 @@ API_EXPORT(int) ap_bread(BUFF *fb, void *buf, int nbyte)
 {
     int i, nrd;
 
-    if (fb->flags & B_RDERR)
+    if (fb->flags & B_RDERR || nbyte < 0)
 	return -1;
     if (nbyte == 0)
 	return 0;
@@ -1258,7 +1258,7 @@ API_EXPORT(int) ap_bwrite(BUFF *fb, const void *buf, int nbyte)
     static int csize = 0;
 #endif /*CHARSET_EBCDIC*/
 
-    if (fb->flags & (B_WRERR | B_EOUT))
+    if (fb->flags & (B_WRERR | B_EOUT) || nbyte < 0)
 	return -1;
     if (nbyte == 0)
 	return 0;
diff --git a/src/modules/proxy/proxy_util.c b/src/modules/proxy/proxy_util.c
index e10aeb58a6c..ef58663da35 100644
--- a/src/modules/proxy/proxy_util.c
+++ b/src/modules/proxy/proxy_util.c
@@ -507,7 +507,7 @@ long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int
 
             /* read the chunk */
             if (remaining > 0) {
-                n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining));
+                n = ap_bread(f, buf, (int) MIN(buf_size, remaining));
                 if (n > -1) {
                     remaining -= n;
                     end_of_chunk = (remaining == 0);
@@ -548,8 +548,8 @@ long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int
                 n = ap_bread(f, buf, buf_size);
             }
             else {
-                n = ap_bread(f, buf, MIN((int)buf_size,
-                                         (int)(len - total_bytes_rcvd)));
+                n = ap_bread(f, buf, (int) MIN(buf_size,
+                                               (len - total_bytes_rcvd)));
             }
         }