From: Eric Covener <covener@apache.org>
Date: Mon, 19 Jun 2017 16:48:42 +0000 (+0000)
Subject: SECURITY: CVE-2017-7668 (cve.mitre.org)
X-Git-Tag: 2.2.33~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=edb6db90d2474b5807b2459b3380bf947c5866fa;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.

Merge r1796350 from trunk:
short-circuit on NULL

Submitted By: jchampion
Reviewed By: jchampion, wrowe, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799228 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7a950e52a67..9fe328d76c3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.33
 
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+
   *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
      [Joe Orton]
 
diff --git a/STATUS b/STATUS
index 91ca1e21256..3c741568b9d 100644
--- a/STATUS
+++ b/STATUS
@@ -104,11 +104,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: Terminate token processing on NULL.
-     trunk patch: https://svn.apache.org/r1796350
-     2.2.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk .
-     +1: jchampion, wrowe, ylavic
-
   *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
      to ssl_io_filter_error(). [Yann Ylavic]
      trunk patch: https://svn.apache.org/r1796343
diff --git a/server/util.c b/server/util.c
index 054cc1760d5..9a805b69db0 100644
--- a/server/util.c
+++ b/server/util.c
@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
 
     s = (const unsigned char *)line;
     for (;;) {
-        /* find start of token, skip all stop characters, note NUL
-         * isn't a token stop, so we don't need to test for it
-         */
-        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+        /* find start of token, skip all stop characters */
+        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
             ++s;
         }
         if (!*s) {