Tree - rpms/httpd - CentOS Git server

rpms / httpd

Blame SOURCES/httpd-2.4.37-CVE-2022-37436.patch

Blob History Raw

		53bb7e	`From 8b6d55f6a047acf62675e32606b037f5eea8ccc7 Mon Sep 17 00:00:00 2001`
		53bb7e	`From: Eric Covener <covener@apache.org>`
		53bb7e	`Date: Tue, 10 Jan 2023 13:20:09 +0000`
		53bb7e	`Subject: [PATCH] Merge r1906539 from trunk:`
		53bb7e
		53bb7e	`fail on bad header`
		53bb7e
		53bb7e	`Submitted By: covener`
		53bb7e	`Reviewed By: covener, rpluem, gbechis`
		53bb7e
		53bb7e
		53bb7e	`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1906541 13f79535-47bb-0310-9956-ffa450edef68`
		53bb7e	`---`
		53bb7e	`modules/proxy/mod_proxy_http.c \| 46 ++++++++++++++++++++--------------`
		53bb7e	`server/protocol.c \| 2 ++`
		53bb7e	`2 files changed, 29 insertions(+), 19 deletions(-)`
		53bb7e
		53bb7e	`diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c`
		53bb7e	`index d74ae054ac9..ec4e7fb06b5 100644`
		53bb7e	`--- a/modules/proxy/mod_proxy_http.c`
		53bb7e	`+++ b/modules/proxy/mod_proxy_http.c`
		53bb7e	`@@ -788,7 +788,7 @@ static void process_proxy_header(request_rec r, proxy_dir_conf c,`
		53bb7e	`* any sense at all, since we depend on buffer still containing`
		53bb7e	`* what was read by ap_getline() upon return.`
		53bb7e	`*/`
		53bb7e	`-static void ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`+static apr_status_t ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`char *buffer, int size,`
		53bb7e	`conn_rec c, int pread_len)`
		53bb7e	`{`
		53bb7e	`@@ -820,19 +820,26 @@ static void ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`rc = ap_proxygetline(tmp_bb, buffer, size, rr,`
		53bb7e	`AP_GETLINE_FOLD \| AP_GETLINE_NOSPC_EOL, &len;;`
		53bb7e
		53bb7e	`- if (len <= 0)`
		53bb7e	`- break;`
		53bb7e
		53bb7e	`- if (APR_STATUS_IS_ENOSPC(rc)) {`
		53bb7e	`- /* The header could not fit in the provided buffer, warn.`
		53bb7e	`- * XXX: falls through with the truncated header, 5xx instead?`
		53bb7e	`- */`
		53bb7e	`- int trunc = (len > 128 ? 128 : len) / 2;`
		53bb7e	`- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)`
		53bb7e	`- "header size is over the limit allowed by "`
		53bb7e	`- "ResponseFieldSize (%d bytes). "`
		53bb7e	`- "Bad response header: '%.*s[...]%s'",`
		53bb7e	`- size, trunc, buffer, buffer + len - trunc);`
		53bb7e	`+ if (rc != APR_SUCCESS) {`
		53bb7e	`+ if (APR_STATUS_IS_ENOSPC(rc)) {`
		53bb7e	`+ int trunc = (len > 128 ? 128 : len) / 2;`
		53bb7e	`+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)`
		53bb7e	`+ "header size is over the limit allowed by "`
		53bb7e	`+ "ResponseFieldSize (%d bytes). "`
		53bb7e	`+ "Bad response header: '%.*s[...]%s'",`
		53bb7e	`+ size, trunc, buffer, buffer + len - trunc);`
		53bb7e	`+ }`
		53bb7e	`+ else {`
		53bb7e	`+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404)`
		53bb7e	`+ "Error reading headers from backend");`
		53bb7e	`+ }`
		53bb7e	`+ r->headers_out = NULL;`
		53bb7e	`+ return rc;`
		53bb7e	`+ }`
		53bb7e	`+`
		53bb7e	`+ if (len <= 0) {`
		53bb7e	`+ break;`
		53bb7e	`}`
		53bb7e	`else {`
		53bb7e	`ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer);`
		53bb7e	`@@ -855,7 +862,7 @@ static void ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`if (psc->badopt == bad_error) {`
		53bb7e	`/* Nope, it wasn't even an extra HTTP header. Give up. */`
		53bb7e	`r->headers_out = NULL;`
		53bb7e	`- return;`
		53bb7e	`+ return APR_EINVAL;`
		53bb7e	`}`
		53bb7e	`else if (psc->badopt == bad_body) {`
		53bb7e	`/* if we've already started loading headers_out, then`
		53bb7e	`@@ -869,13 +876,13 @@ static void ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`"in headers returned by %s (%s)",`
		53bb7e	`r->uri, r->method);`
		53bb7e	`*pread_len = len;`
		53bb7e	`- return;`
		53bb7e	`+ return APR_SUCCESS;`
		53bb7e	`}`
		53bb7e	`else {`
		53bb7e	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099)`
		53bb7e	`"No HTTP headers returned by %s (%s)",`
		53bb7e	`r->uri, r->method);`
		53bb7e	`- return;`
		53bb7e	`+ return APR_SUCCESS;`
		53bb7e	`}`
		53bb7e	`}`
		53bb7e	`}`
		53bb7e	`@@ -905,6 +912,7 @@ static void ap_proxy_read_headers(request_rec r, request_rec rr,`
		53bb7e	`process_proxy_header(r, dconf, buffer, value);`
		53bb7e	`saw_headers = 1;`
		53bb7e	`}`
		53bb7e	`+ return APR_SUCCESS;`
		53bb7e	`}`
		53bb7e
		53bb7e
		53bb7e	`@@ -1218,10 +1226,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req)`
		53bb7e	`"Set-Cookie", NULL);`
		53bb7e
		53bb7e	`/* shove the headers direct into r->headers_out */`
		53bb7e	`- ap_proxy_read_headers(r, backend->r, buffer, response_field_size,`
		53bb7e	`- origin, &pread_len);`
		53bb7e	`+ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size,`
		53bb7e	`+ origin, &pread_len);`
		53bb7e
		53bb7e	`- if (r->headers_out == NULL) {`
		53bb7e	`+ if (rc != APR_SUCCESS \|\| r->headers_out == NULL) {`
		53bb7e	`ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106)`
		53bb7e	`"bad HTTP/%d.%d header returned by %s (%s)",`
		53bb7e	`major, minor, r->uri, r->method);`
		53bb7e	`diff --git a/server/protocol.c b/server/protocol.c`
		53bb7e	`index 7adc7f75c10..6f9540ad1de 100644`
		53bb7e	`--- a/server/protocol.c`
		53bb7e	`+++ b/server/protocol.c`
		53bb7e	`@@ -508,6 +508,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,`
		53bb7e	`/* PR#43039: We shouldn't accept NULL bytes within the line */`
		53bb7e	`bytes_handled = strlen(*s);`
		53bb7e	`if (bytes_handled < *read) {`
		53bb7e	`+ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf,`
		53bb7e	`+ "NULL bytes in header", s, read, 0);`
		53bb7e	`*read = bytes_handled;`
		53bb7e	`if (rv == APR_SUCCESS) {`
		53bb7e	`rv = APR_EINVAL;`

rpms / httpd

Source Code

Blame SOURCES/httpd-2.4.37-CVE-2022-37436.patch