From b2445f6e1bfa79c28bfab45e924c95fe350bf67f Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 30 May 2017 12:28:20 +0000 Subject: [PATCH] SECURITY: CVE-2017-7668 (cve.mitre.org) The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Merge r1796350 from trunk: short-circuit on NULL Submitted by: jchampion, covener Reviewed by: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796856 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 4 ---- server/util.c | 6 ++---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/STATUS b/STATUS index 456596a6160..87abfa95d81 100644 --- a/STATUS +++ b/STATUS @@ -120,10 +120,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) core: Terminate token processing on NULL. - trunk patch: http://svn.apache.org/r1796350 - 2.4.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk . - +1: covener, ylavic, jim PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/server/util.c b/server/util.c index 6667ac2e463..830ce5b38bc 100644 --- a/server/util.c +++ b/server/util.c @@ -1679,10 +1679,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok) s = (const unsigned char *)line; for (;;) { - /* find start of token, skip all stop characters, note NUL - * isn't a token stop, so we don't need to test for it - */ - while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { + /* find start of token, skip all stop characters */ + while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { ++s; } if (!*s) { -- 2.47.2