Bug 546794

Description Agostino Sarubbo 2015-04-16 12:27:18 UTC

From ${URL} :

Below issue was reported in Apache httpd:
"""
  Affected code
 ===============
 * protocol.c --- routines which directly communicate with the client.
 *
 * Code originally by Rob McCool; much redone by Robert S. Thau
 * and the Apache Software Foundation.


 PoC 1 - Code Snippet [CWE-476]
 ==============================
 (..\httpd-2.2.29\server\protocol.c:1286)
 (..\httpd-2.4.12\server\protocol.c:1286)

...

AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(
    ap_filter_t *f,
    apr_bucket_brigade *b)
{
    request_rec *r = f->r;
    struct content_length_ctx *ctx;
    apr_bucket *e;
    int eos = 0;
    apr_read_type_e eblock = APR_NONBLOCK_READ;

    ctx = f->ctx;
    if (!ctx) {
        f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx));
        ctx->data_sent = 0;
    }

Description: Code at line 1286 is vulnerable to a Null Pointer
Derference security issue,  where (request_rec *r = f->r;).  The
filter is used to compute the Content-Length, but it also computes the
number of bytes sent to the client.
......................................................................................................
The filter will always run through all of the buckets in all brigades.
The (request_rec *r = f->r;) is user-controllable and can be set to
NULL using a supplied parameter. The issue stems from the lack of any
control metrics on the return value of (f) ~ line 1286 (to ensure that
is non-NULL.)

The value of (f) can be set to NULL using a user-supplied parameter.
"""


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.