[Pkg-apache-commits] r1245 - in /trunk/apache2: changelog patches/00list patches/084_mod_reqtimeout_CVE-2010-1623.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sat Oct 9 18:56:55 UTC 2010
Author: sf
Date: Sat Oct 9 18:56:55 2010
New Revision: 1245
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1245
Log:
CVE-2010-1623: mod_reqtimeout: Fix potential DoS by memory usage
Added:
trunk/apache2/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1245&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Oct 9 18:56:55 2010
@@ -1,5 +1,6 @@
apache2 (2.2.16-3) UNRELEASED; urgency=low
+ * CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
* Fix "Could not reliably determine the server's ..." error message in
README.Debian, to make it easier to search for it. Closes: #590528
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1245&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sat Oct 9 18:56:55 2010
@@ -26,6 +26,7 @@
080_mod_reqtimeout_fixes.dpatch
082_ab_num_requests
083_mod_ssl_memcpy.dpatch
+084_mod_reqtimeout_CVE-2010-1623.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch?rev=1245&op=file
==============================================================================
--- trunk/apache2/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch (added)
+++ trunk/apache2/patches/084_mod_reqtimeout_CVE-2010-1623.dpatch Sat Oct 9 18:56:55 2010
@@ -1,0 +1,63 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: Our version of mod_reqtimeout has all fixes from trunk.
+## DP: Therefore backport the fix for CVE-2010-1623, too.
+## DP: Upstream commit r1003626.
+ at DPATCH@
+diff --git a/modules/filters/mod_reqtimeout.c b/modules/filters/mod_reqtimeout.c
+index b0de997..adc4def 100644
+--- a/modules/filters/mod_reqtimeout.c
++++ b/modules/filters/mod_reqtimeout.c
+@@ -115,6 +115,41 @@ static apr_status_t have_lf_or_eos(apr_bucket_brigade *bb)
+ return APR_INCOMPLETE;
+ }
+
++/*
++ * Append bbIn to bbOut and merge small buckets, to avoid DoS by high memory
++ * usage
++ */
++static apr_status_t brigade_append(apr_bucket_brigade *bbOut, apr_bucket_brigade *bbIn)
++{
++ while (!APR_BRIGADE_EMPTY(bbIn)) {
++ apr_bucket *e = APR_BRIGADE_FIRST(bbIn);
++ const char *str;
++ apr_size_t len;
++ apr_status_t rv;
++
++ rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ);
++ if (rv != APR_SUCCESS) {
++ return rv;
++ }
++
++ APR_BUCKET_REMOVE(e);
++ if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) {
++ APR_BRIGADE_INSERT_TAIL(bbOut, e);
++ }
++ else {
++ if (len > 0) {
++ rv = apr_brigade_write(bbOut, NULL, NULL, str, len);
++ if (rv != APR_SUCCESS) {
++ apr_bucket_destroy(e);
++ return rv;
++ }
++ }
++ apr_bucket_destroy(e);
++ }
++ }
++ return APR_SUCCESS;
++}
++
+
+ #define MIN(x,y) ((x) < (y) ? (x) : (y))
+ static apr_status_t reqtimeout_filter(ap_filter_t *f,
+@@ -217,7 +252,9 @@ static apr_status_t reqtimeout_filter(ap_filter_t *f,
+ if (!ccfg->tmpbb) {
+ ccfg->tmpbb = apr_brigade_create(f->c->pool, f->c->bucket_alloc);
+ }
+- APR_BRIGADE_CONCAT(ccfg->tmpbb, bb);
++ rv = brigade_append(ccfg->tmpbb, bb);
++ if (rv != APR_SUCCESS)
++ break;
+ }
+
+ /* ... and wait for more */
More information about the Pkg-apache-commits
mailing list