SECURITY: CVE-2010-0425 (cve.mitre.org)

mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.

Submitted by: Brett Gervasoni <brettg senseofsecurity.com>, trawick
Reviewed by: trawick, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@917870 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index f530daa586f69d7a85eee273cca73ead837cf129..3b213a12e7ca36b5d550ef84ee799ddc308671d9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,12 @@
-                                                        -*- coding: utf-8 -*-
+                                                         -*- coding: utf-8 -*-
 
 Changes with Apache 2.3.7
 
+  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
+     mod_isapi: Do not unload an isapi .dll module until the request
+     processing is completed, avoiding orphaned callback pointers.
+     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
+
   *) support/rotatelogs: Add -L option to create a link to the current
      log file.  PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
 

diff --git a/modules/arch/win32/mod_isapi.c b/modules/arch/win32/mod_isapi.c
index bfc26aadd1f487495f3ebd8c23b19384133d4dc1..ec0c800d2b78941adc8c7cf169fefafcfb1052f7 100644 (file)
--- a/modules/arch/win32/mod_isapi.c
+++ b/modules/arch/win32/mod_isapi.c
@@ -1503,7 +1503,6 @@ apr_status_t isapi_handler (request_rec *r)
     /* Set up client input */
     res = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR);
     if (res) {
-        isapi_unload(isa, 0);
         return res;
     }
 
@@ -1534,7 +1533,6 @@ apr_status_t isapi_handler (request_rec *r)
         }
 
         if (res < 0) {
-            isapi_unload(isa, 0);
             return HTTP_INTERNAL_SERVER_ERROR;
         }