Attachment 196584 Details for Bug 276426 – apache-CVE-2009-1890.patch

[patch] apache-CVE-2009-1890.patch

apache-CVE-2009-1890.patch (text/plain), 1.54 KB, created by Alex Legler (RETIRED) on 2009-07-04 07:58:59 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alex Legler (RETIRED)

Created: 2009-07-04 07:58:59 UTC

Size: 1.54 KB

patch

obsolete

>--- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c	2009/07/02 13:37:39	790586
>+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c	2009/07/02 13:41:18	790587
>@@ -427,10 +427,16 @@
>     apr_off_t bytes_streamed = 0;
> 
>     if (old_cl_val) {
>+        char *endstr;
>+
>         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
>-        if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
>-                                                 0))) {
>-            return HTTP_INTERNAL_SERVER_ERROR;
>+        status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
>+        
>+        if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
>+            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
>+                          "proxy: could not parse request Content-Length (%s)",
>+                          old_cl_val);
>+            return HTTP_BAD_REQUEST;
>         }
>     }
>     terminate_headers(bucket_alloc, header_brigade);
>@@ -463,8 +469,13 @@
>          *
>          * Prevents HTTP Response Splitting.
>          */
>-        if (bytes_streamed > cl_val)
>-             continue;
>+        if (bytes_streamed > cl_val) {
>+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>+                          "proxy: read more bytes of request body than expected "
>+                          "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
>+                          bytes_streamed, cl_val);
>+            return HTTP_INTERNAL_SERVER_ERROR;
>+        }
> 
>         if (header_brigade) {
>             /* we never sent the header brigade, so go ahead and

Actions: View | Diff

Attachments on bug 276426: 196584