rpms / httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.37-CVE-2020-1934.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.4 c8-sig-artwork c8-stream-2.4 c8s-stream-2.4 c9 c9-beta
  1.   8b06210d06013bb42b3c0d18f751d29520719e0e
  2.   SOURCES
  3.   httpd-2.4.37-CVE-2020-1934.patch
Blob History Raw
8b0621 
--- a/modules/proxy/mod_proxy_ftp.c	2020/02/07 17:01:07	1873744
8b0621 
+++ b/modules/proxy/mod_proxy_ftp.c	2020/02/07 17:04:45	1873745
8b0621 
@@ -218,7 +218,7 @@
8b0621 
  * (EBCDIC) machines either.
8b0621 
  */
8b0621 
 static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb,
8b0621 
-        char *buff, apr_size_t bufflen, int *eos)
8b0621 
+        char *buff, apr_size_t bufflen, int *eos, apr_size_t *outlen)
8b0621 
 {
8b0621 
     apr_bucket *e;
8b0621 
     apr_status_t rv;
8b0621 
@@ -230,6 +230,7 @@
8b0621 
     /* start with an empty string */
8b0621 
     buff[0] = 0;
8b0621 
     *eos = 0;
8b0621 
+    *outlen = 0;
8b0621
8b0621 
     /* loop through each brigade */
8b0621 
     while (!found) {
8b0621 
@@ -273,6 +274,7 @@
8b0621 
                 if (len > 0) {
8b0621 
                     memcpy(pos, response, len);
8b0621 
                     pos += len;
8b0621 
+                    *outlen += len;
8b0621 
                 }
8b0621 
             }
8b0621 
             apr_bucket_delete(e);
8b0621 
@@ -385,28 +387,36 @@
8b0621 
     char buff[5];
8b0621 
     char *mb = msgbuf, *me = &msgbuf[msglen];
8b0621 
     apr_status_t rv;
8b0621 
+    apr_size_t nread;
8b0621 
+
8b0621 
     int eos;
8b0621
8b0621 
-    if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
8b0621 
+    if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
8b0621 
         return -1;
8b0621 
     }
8b0621 
 /*
8b0621 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, APLOGNO(03233)
8b0621 
                  "<%s", response);
8b0621 
 */
8b0621 
+    if (nread < 4) {
8b0621 
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, APLOGNO(10229) "Malformed FTP response '%s'", response);
8b0621 
+        *mb = '\0';
8b0621 
+        return -1;
8b0621 
+    }
8b0621 
+
8b0621 
     if (!apr_isdigit(response[0]) || !apr_isdigit(response[1]) ||
8b0621 
-    !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
8b0621 
+        !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
8b0621 
         status = 0;
8b0621 
     else
8b0621 
         status = 100 * response[0] + 10 * response[1] + response[2] - 111 * '0';
8b0621
8b0621 
     mb = apr_cpystrn(mb, response + 4, me - mb);
8b0621
8b0621 
-    if (response[3] == '-') {
8b0621 
+    if (response[3] == '-') { /* multi-line reply "123-foo\nbar\n123 baz" */
8b0621 
         memcpy(buff, response, 3);
8b0621 
         buff[3] = ' ';
8b0621 
         do {
8b0621 
-            if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
8b0621 
+            if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
8b0621 
                 return -1;
8b0621 
             }
8b0621 
             mb = apr_cpystrn(mb, response + (' ' == response[0] ? 1 : 4), me - mb);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation