From: Mark J. Cox <mjc@apache.org>
Date: Fri, 11 Jun 2004 07:54:38 +0000 (+0000)
Subject: Receiving a negative content length from a remote server can cause
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3647a3aee176b71fec553bb491e4687bc1e0699;p=thirdparty%2Fapache%2Fhttpd.git

Receiving a negative content length from a remote server can cause
a buffer overflow in later code; reject connection if we receive an invalid
header.  CAN-2004-0492
PR:
Obtained from:
Submitted by: Mark Cox
Reviewed by: Joe Orton, Bill Stoddard, Jim Jagielski


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@103896 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index 008f7b1520c..048d214befa 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.32
 
+  *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+     Reject responses from a remote server if sent an invalid (negative) 
+     Content-Length.  [Mark Cox]
+
   *) Fix a bunch of cases where the return code of the regex compiler
      was not checked properly. This affects mod_usertrack and
      core. PR 28218.  [André Malo]
diff --git a/src/modules/proxy/proxy_http.c b/src/modules/proxy/proxy_http.c
index 020f5c5b7d9..1a73a6541ee 100644
--- a/src/modules/proxy/proxy_http.c
+++ b/src/modules/proxy/proxy_http.c
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
         content_length = ap_table_get(resp_hdrs, "Content-Length");
         if (content_length != NULL) {
             c->len = ap_strtol(content_length, NULL, 10);
+
+	    if (c->len < 0) {
+		ap_kill_timeout(r);
+		return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+				     "Invalid Content-Length from remote server",
+                                      NULL));
+	    }
         }
 
     }