rpms / httpd24-httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.34-CVE-2022-22719.patch

c7
  1.   c7
  2.   SOURCES
  3.   httpd-2.4.34-CVE-2022-22719.patch
Blob History Raw
879b17 
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
879b17 
index 1afe333..62a70cf 100644
879b17 
--- a/modules/lua/lua_request.c
879b17 
+++ b/modules/lua/lua_request.c
879b17 
@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
879b17 
 {
879b17 
     int rc = OK;
879b17
879b17 
+    *rbuf = NULL;
879b17 
+    *size = 0;
879b17 
+
879b17 
     if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) {
879b17 
         return (rc);
879b17 
     }
879b17 
     if (ap_should_client_block(r)) {
879b17
879b17 
         /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
879b17 
-        char         argsbuffer[HUGE_STRING_LEN];
879b17 
-        apr_off_t    rsize, len_read, rpos = 0;
879b17 
+        apr_off_t    len_read, rpos = 0;
879b17 
         apr_off_t length = r->remaining;
879b17 
         /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
879b17
879b17 
@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
879b17 
             return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
879b17 
         }
879b17 
         *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
879b17 
-        *size = length;
879b17 
-        while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) {
879b17 
-            if ((rpos + len_read) > length) {
879b17 
-                rsize = length - rpos;
879b17 
-            }
879b17 
-            else {
879b17 
-                rsize = len_read;
879b17 
-            }
879b17 
-
879b17 
-            memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize);
879b17 
-            rpos += rsize;
879b17 
+        while ((rpos < length)
879b17 
+               && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos,
879b17 
+                                               length - rpos)) > 0) {
879b17 
+            rpos += len_read;
879b17 
+        }
879b17 
+        if (len_read < 0) {
879b17 
+            return APR_EINCOMPLETE;
879b17 
         }
879b17 
+        *size = rpos;
879b17 
+    }
879b17 
+    else {
879b17 
+        rc = DONE;
879b17 
     }
879b17
879b17 
     return (rc);
879b17 
@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
879b17 
 {
879b17 
     apr_status_t rc = OK;
879b17
879b17 
+    *size = 0;
879b17 
+
879b17 
     if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
879b17 
         return rc;
879b17 
     if (ap_should_client_block(r)) {
879b17 
@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
879b17 
             rpos += rsize;
879b17 
         }
879b17 
     }
879b17 
+    else {
879b17 
+        rc = DONE;
879b17 
+    }
879b17
879b17 
     return rc;
879b17 
 }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation