From: Jim Jagielski Date: Thu, 17 Jul 2014 18:20:46 +0000 (+0000) Subject: Merge r1610501 from trunk: X-Git-Tag: 2.2.28~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd3a22b771357b554448051feaa1a906b2bc0d50;p=thirdparty%2Fapache%2Fhttpd.git Merge r1610501 from trunk: *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue. Submitted By: ylavic, covener Reviewed By: jorton, covener, jim Submitted by: covener Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611426 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index dbd55b8d483..c480c9cd4ca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,13 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.28 + *) SECURITY: CVE-2014-0118 (cve.mitre.org) + mod_deflate: The DEFLATE input filter (inflates request bodies) now + limits the length and compression ratio of inflated request bodies to avoid + denial of sevice via highly compressed bodies. See directives + DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, + and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] + *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes diff --git a/STATUS b/STATUS index fcfc357bd70..6ab876f8826 100644 --- a/STATUS +++ b/STATUS @@ -99,16 +99,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * SECURITY: CVE-2014-0118 (cve.mitre.org) - mod_deflate: The DEFLATE input filter (inflates request bodies) now - limits the length and compression ratio of inflated request bodies to avoid - denial of sevice via highly compressed bodies. See directives - DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, - and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] - - trunk patch: http://svn.apache.org/r1610501 - 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-deflate_limitrequestbody.diff - +1: covener, ylavic, jorton * mod_deflate: Don't fail when asked to flush inflated data to the user-agent and that coincides with the end of stream ("Zlib error flushing diff --git a/docs/manual/mod/mod_deflate.xml b/docs/manual/mod/mod_deflate.xml index c3f79f2981c..bfbd48cb571 100644 --- a/docs/manual/mod/mod_deflate.xml +++ b/docs/manual/mod/mod_deflate.xml @@ -332,5 +332,58 @@ client + +DeflateInflateLimitRequestBody +Maximum size of inflated request bodies +DeflateInflateLimitRequestBodyvalue +None, but LimitRequestBody applies after deflation +server configvirtual host +directory.htaccess +2.2.28 and later + + +

The DeflateInflateLimitRequestBody directive + specifies the maximum size of an inflated request body. If it is unset, + LimitRequestBody is applied to the + inflated body.

+ + + + +DeflateInflateRatioLimit +Maximum inflation ratio for request bodies +DeflateInflateRatioLimit value +200 +server configvirtual host +directory.htaccess +2.2.28 and later + + +

The DeflateInflateRatioLimit directive + specifies the maximum ratio of deflated to inflated size of an + inflated request body. This ratio is checked as the body is + streamed in, and if crossed more than + DeflateInflateRatioBurst times the request + will be terminated.

+ + + + +DeflateInflateRatioBurst +Maximum number of times the inflation ratio for request bodies + can be crossed +DeflateInflateRatioBurst value +3 +server configvirtual host +directory.htaccess +2.2.28 and later + + +

The DeflateInflateRatioBurst directive + specifies the maximum number of times the + DeflateInflateRatioLimit cab be crossed before + terminating the request.

+ + diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c index 7856e35fa87..bd68812bca6 100644 --- a/modules/filters/mod_deflate.c +++ b/modules/filters/mod_deflate.c @@ -37,6 +37,7 @@ #include "httpd.h" #include "http_config.h" #include "http_log.h" +#include "http_core.h" #include "apr_lib.h" #include "apr_strings.h" #include "apr_general.h" @@ -51,6 +52,9 @@ static const char deflateFilterName[] = "DEFLATE"; module AP_MODULE_DECLARE_DATA deflate_module; +#define AP_INFLATE_RATIO_LIMIT 200 +#define AP_INFLATE_RATIO_BURST 3 + typedef struct deflate_filter_config_t { int windowSize; @@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t char *note_output_name; } deflate_filter_config; +typedef struct deflate_dirconf_t { + apr_off_t inflate_limit; + int ratio_limit, + ratio_burst; +} deflate_dirconf_t; + /* RFC 1952 Section 2.3 defines the gzip header: * * +---+---+---+---+---+---+---+---+---+---+ @@ -193,6 +203,14 @@ static void *create_deflate_server_config(apr_pool_t *p, server_rec *s) return c; } +static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) +{ + deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); + dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; + dc->ratio_burst = AP_INFLATE_RATIO_BURST; + return dc; +} + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, const char *arg) { @@ -284,6 +302,55 @@ static const char *deflate_set_compressionlevel(cmd_parms *cmd, void *dummy, return NULL; } + +static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + char *errp; + + if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { + return "DeflateInflateLimitRequestBody is not parsable."; + } + if (*errp || dc->inflate_limit < 0) { + return "DeflateInflateLimitRequestBody requires a non-negative integer."; + } + + return NULL; +} + +static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioLimit must be positive"; + + dc->ratio_limit = i; + + return NULL; +} + +static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, + void *dirconf, + const char *arg) +{ + deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; + int i; + + i = atoi(arg); + if (i <= 0) + return "DeflateInflateRatioBurst must be positive"; + + dc->ratio_burst = i; + + return NULL; +} + typedef struct deflate_ctx_t { z_stream stream; @@ -294,8 +361,26 @@ typedef struct deflate_ctx_t unsigned char *validation_buffer; apr_size_t validation_buffer_length; int inflate_init; + int ratio_hits; + apr_off_t inflate_total; } deflate_ctx; +/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ +static int check_ratio(request_rec *r, deflate_ctx *ctx, + const deflate_dirconf_t *dc) +{ + if (ctx->stream.total_in) { + int ratio = ctx->stream.total_out / ctx->stream.total_in; + if (ratio < dc->ratio_limit) { + ctx->ratio_hits = 0; + } + else if (++ctx->ratio_hits > dc->ratio_burst) { + return 0; + } + } + return 1; +} + /* Number of validation bytes (CRC and length) after the compressed data */ #define VALIDATION_SIZE 8 /* Do not update ctx->crc, see comment in flush_libz_buffer */ @@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; + apr_off_t inflate_limit; /* just get out of the way of things we don't want. */ if (mode != AP_MODE_READBYTES) { @@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx) { char deflate_hdr[10]; @@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, if (len != 10 || deflate_hdr[0] != deflate_magic[0] || deflate_hdr[1] != deflate_magic[1]) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes"); return APR_EGENERAL; } /* We can't handle flags for now. */ if (deflate_hdr[3] != 0) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags"); return APR_EGENERAL; } @@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, apr_brigade_cleanup(ctx->bb); } + inflate_limit = dc->inflate_limit; + if (inflate_limit == 0) { + /* The core is checking the deflated body, we'll check the inflated */ + inflate_limit = ap_get_limit_req_body(f->r); + } + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); @@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, @@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap_filter_t *f, ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; + ctx->inflate_total += len; + if (inflate_limit && ctx->inflate_total > inflate_limit) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Inflated content length of %" APR_OFF_T_FMT + " is larger than the configured limit" + " of %" APR_OFF_T_FMT, + ctx->inflate_total, inflate_limit); + return APR_ENOSPC; + } + + if (!check_ratio(r, ctx, dc)) { + inflateEnd(&ctx->stream); + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, NULL, f->c->bucket_alloc); @@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, int zRC; apr_status_t rv; deflate_filter_config *c; + deflate_dirconf_t *dc; /* Do nothing if asked to filter nothing. */ if (APR_BRIGADE_EMPTY(bb)) { @@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, } c = ap_get_module_config(r->server->module_config, &deflate_module); + dc = ap_get_module_config(r->per_dir_config, &deflate_module); if (!ctx) { @@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(ap_filter_t *f, while (ctx->stream.avail_in != 0) { if (ctx->stream.avail_out == 0) { + if (!check_ratio(r, ctx, dc)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Inflated content ratio is larger than the " + "configured limit %i by %i time(s)", + dc->ratio_limit, dc->ratio_burst); + return APR_EINVAL; + } + ctx->stream.next_out = ctx->buffer; len = c->bufferSize - ctx->stream.avail_out; @@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_cmds[] = { "Set the Deflate Memory Level (1-9)"), AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, "Set the Deflate Compression Level (1-9)"), + AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, + "Set a limit on size of inflated input"), + AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, + "Set the inflate ratio limit above which inflation is " + "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), + AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, + "Set the maximum number of following inflate ratios above limit " + "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), {NULL} }; module AP_MODULE_DECLARE_DATA deflate_module = { STANDARD20_MODULE_STUFF, - NULL, /* dir config creater */ + create_deflate_dirconf, /* dir config creater */ NULL, /* dir merger --- default is to override */ create_deflate_server_config, /* server config */ NULL, /* merge server config */