← Back to branch summary

~racb/ubuntu/quantal/apache2/988819

« back to all changes in this revision

Viewing changes to debian/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2010-10-12 11:54:48 UTC
  • mfrom: (14.3.19 sid)
  • Revision ID: james.westby@ubuntu.com-20101012115448-jqyh4btw3xm61ts1
Tags: 2.2.16-3ubuntu1
* Merge from debian unstable.  Remaining changes:
  - debian/{control, rules}: Enable PIE hardening.
  - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
  - debian/control: Add bzr tag and point it to our tree.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch
 
1
#! /bin/sh /usr/share/dpatch/dpatch-run
 
2
##
 
3
## DP: Our version of mod_reqtimeout has all fixes from trunk.
 
4
## DP: Therefore backport the fix for CVE-2010-1623, too.
 
5
## DP: Upstream commit r1003626.
 
6
@DPATCH@
 
7
diff --git a/modules/filters/mod_reqtimeout.c b/modules/filters/mod_reqtimeout.c
 
8
index b0de997..adc4def 100644
 
9
--- a/modules/filters/mod_reqtimeout.c
 
10
+++ b/modules/filters/mod_reqtimeout.c
 
11
@@ -115,6 +115,41 @@ static apr_status_t have_lf_or_eos(apr_bucket_brigade *bb)
 
12
     return APR_INCOMPLETE;
 
13
 }
 
14
 
 
15
+/*
 
16
+ * Append bbIn to bbOut and merge small buckets, to avoid DoS by high memory
 
17
+ * usage
 
18
+ */
 
19
+static apr_status_t brigade_append(apr_bucket_brigade *bbOut, apr_bucket_brigade *bbIn)
 
20
+{
 
21
+    while (!APR_BRIGADE_EMPTY(bbIn)) {
 
22
+        apr_bucket *e = APR_BRIGADE_FIRST(bbIn);
 
23
+        const char *str;
 
24
+        apr_size_t len;
 
25
+        apr_status_t rv;
 
26
+
 
27
+        rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ);
 
28
+        if (rv != APR_SUCCESS) {
 
29
+            return rv;
 
30
+        }
 
31
+
 
32
+        APR_BUCKET_REMOVE(e);
 
33
+        if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) {
 
34
+            APR_BRIGADE_INSERT_TAIL(bbOut, e);
 
35
+        }
 
36
+        else {
 
37
+            if (len > 0) {
 
38
+                rv = apr_brigade_write(bbOut, NULL, NULL, str, len);
 
39
+                if (rv != APR_SUCCESS) {
 
40
+                    apr_bucket_destroy(e);
 
41
+                    return rv;
 
42
+                }
 
43
+            }
 
44
+            apr_bucket_destroy(e);
 
45
+        }
 
46
+    }
 
47
+    return APR_SUCCESS;
 
48
+}
 
49
+
 
50
 
 
51
 #define MIN(x,y) ((x) < (y) ? (x) : (y))
 
52
 static apr_status_t reqtimeout_filter(ap_filter_t *f,
 
53
@@ -217,7 +252,9 @@ static apr_status_t reqtimeout_filter(ap_filter_t *f,
 
54
                 if (!ccfg->tmpbb) {
 
55
                     ccfg->tmpbb = apr_brigade_create(f->c->pool, f->c->bucket_alloc);
 
56
                 }
 
57
-                APR_BRIGADE_CONCAT(ccfg->tmpbb, bb);
 
58
+                rv = brigade_append(ccfg->tmpbb, bb);
 
59
+                if (rv != APR_SUCCESS)
 
60
+                    break;
 
61
             }
 
62
 
 
63
             /* ... and wait for more */