From: Jim Jagielski Date: Thu, 30 Mar 2006 17:28:40 +0000 (+0000) Subject: Merge r383339 from trunk: X-Git-Tag: 2.2.1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2d46106cd52a2e6c0ab13a2c11aa40b2acee3e9;p=thirdparty%2Fapache%2Fhttpd.git Merge r383339 from trunk: * Crosscheck the length of the body chunk with the length of the ajp message to prevent readings beyond the buffer boundaries which possibly could reveal sensitive memory contents to the client. Submitted by: rpluem Reviewed by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@390181 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 54ff37fbf47..04dcbd649a0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.1 + *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of + the ajp message to prevent mod_proxy_ajp from reading beyond the buffer + boundaries and thus revealing possibly sensitive memory contents to the + client. [Ruediger Pluem] + *) Ensure that the proper status line is written to the client, fixing incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter. diff --git a/STATUS b/STATUS index b39b989a616..18b2e55581e 100644 --- a/STATUS +++ b/STATUS @@ -143,15 +143,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: Trunk version of patch works +1: rpluem, jim, pquerna - * mod_proxy_ajp: Crosscheck the length of the body chunk with the length - of the ajp message to prevent readings beyond the buffer boundaries - which possibly could reveal sensitive memory contents to the client. - Trunk version of patch: - http://svn.apache.org/viewcvs?rev=383339&view=rev - Backport version for 2.2.x of patch: - Trunk version of patch works - +1: rpluem, pquerna, jim - PATCHES PROPOSED TO BACKPORT FROM TRUNK: * mod_dbd: When threaded, create a private pool in child_init diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c index 6b2d6715077..49ee13ea972 100644 --- a/modules/proxy/ajp_header.c +++ b/modules/proxy/ajp_header.c @@ -682,6 +682,7 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg, { apr_byte_t result; apr_status_t rc; + apr_uint16_t expected_len; rc = ajp_msg_get_uint8(msg, &result); if (rc != APR_SUCCESS) { @@ -698,6 +699,23 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg, if (rc != APR_SUCCESS) { return rc; } + /* + * msg->len contains the complete length of the message including all + * headers. So the expected length for a CMD_AJP13_SEND_BODY_CHUNK is + * msg->len minus the sum of + * AJP_HEADER_LEN : The length of the header to every AJP message. + * AJP_HEADER_SZ_LEN : The header giving the size of the chunk. + * 1 : The CMD_AJP13_SEND_BODY_CHUNK indicator byte (0x03). + * 1 : The last byte of this message always seems to be + * 0x00 and is not part of the chunk. + */ + expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1); + if (*len != expected_len) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "ajp_parse_data: Wrong chunk length. Length of chunk is %i," + " expected length is %i.", *len, expected_len); + return AJP_EBAD_HEADER; + } *ptr = (char *)&(msg->buf[msg->pos]); return APR_SUCCESS; }