From 062871e52fef5e21c21efad8e406ca84fbea58a8 Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Mon, 28 Jun 2004 23:57:14 +0000 Subject: [PATCH] CAN-2004-0493 - memory exhaustion denial of service Reviewed by: jerenkrantz git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@104060 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ server/protocol.c | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/CHANGES b/CHANGES index 34faf6b6c92..503de5ada66 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,10 @@ Changes with Apache 2.0.50 + *) SECURITY: CAN-2004-0493 (cve.mitre.org) + Close a denial of service vulnerability identified by Georgi + Guninski which could lead to memory exhaustion with certain + input data. [Jeff Trawick] + *) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. diff --git a/server/protocol.c b/server/protocol.c index 8d24daa443b..82b95f3ca4a 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -719,6 +719,23 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb * continuations that span many many lines. */ apr_size_t fold_len = last_len + len + 1; /* trailing null */ + + if ((fold_len - 1) > r->server->limit_req_fieldsize) { + r->status = HTTP_BAD_REQUEST; + /* report what we have accumulated so far before the + * overflow (last_field) as the field with the problem + */ + apr_table_setn(r->notes, "error-notes", + apr_pstrcat(r->pool, + "Size of a request header field " + "after folding " + "exceeds server limit.
\n" + "
\n",
+                                               ap_escape_html(r->pool, last_field),
+                                               "
\n", NULL)); + return; + } + if (fold_len > alloc_len) { char *fold_buf; alloc_len += alloc_len; -- 2.47.2