From: Jeff Trawick <trawick@apache.org>
Date: Tue, 30 Oct 2007 19:17:03 +0000 (+0000)
Subject: SECURITY: CVE-2007-3847 (cve.mitre.org)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ef6b61bef81f0248dcd2203814b92d9b29bb678;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers.  PR 41144.

Reviewed by: Eric, JimJag


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@590277 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index 72ca3ba9055..5d8f71509d0 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,12 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+     mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     With Apache 1.3, the denial of service vulnerability applies only 
+     to the Windows and NetWare platforms.
+     [Jeff Trawick]
+
   *) More efficient implementation of the CVE-2007-3304 PID table
      patch. This fixes issues with excessive memory usage by the
      parent process if long-running and with a high number of child
diff --git a/src/modules/proxy/proxy_util.c b/src/modules/proxy/proxy_util.c
index 7c9f092c97d..e10aeb58a6c 100644
--- a/src/modules/proxy/proxy_util.c
+++ b/src/modules/proxy/proxy_util.c
@@ -282,7 +282,8 @@ const char *
         *q = ',';
         if (wk == 7)
             return x;           /* not a valid date */
-        if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
+        if (strlen(q) != 24 ||
+            q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
             q[17] != ':' || strcmp(&q[20], " GMT") != 0)
             return x;
         if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
@@ -294,8 +295,9 @@ const char *
             year += 1900;
     }
     else {
-/* check for acstime() date */
-        if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
+/* check for asctime() date */
+        if (strlen(x) != 24 ||
+            x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
             x[16] != ':' || x[19] != ' ' || x[24] != '\0')
             return x;
         if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,