From ${URL} : Below issue was reported in Apache httpd: """ Affected code =============== * protocol.c --- routines which directly communicate with the client. * * Code originally by Rob McCool; much redone by Robert S. Thau * and the Apache Software Foundation. PoC 1 - Code Snippet [CWE-476] ============================== (..\httpd-2.2.29\server\protocol.c:1286) (..\httpd-2.4.12\server\protocol.c:1286) ... AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter( ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; struct content_length_ctx *ctx; apr_bucket *e; int eos = 0; apr_read_type_e eblock = APR_NONBLOCK_READ; ctx = f->ctx; if (!ctx) { f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx)); ctx->data_sent = 0; } Description: Code at line 1286 is vulnerable to a Null Pointer Derference security issue, where (request_rec *r = f->r;). The filter is used to compute the Content-Length, but it also computes the number of bytes sent to the client. ...................................................................................................... The filter will always run through all of the buckets in all brigades. The (request_rec *r = f->r;) is user-controllable and can be set to NULL using a supplied parameter. The issue stems from the lack of any control metrics on the return value of (f) ~ line 1286 (to ensure that is non-NULL.) The value of (f) can be set to NULL using a user-supplied parameter. """ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Looking to the URL it seems that the bug wasn't really valid :/
No validity to this bug and the original reporter was unable to produce proof that it could be triggered. Thus, no potential exploit here.
