diff options
author | Eric Covener <covener@apache.org> | 2017-06-19 16:48:42 +0000 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2017-06-19 16:48:42 +0000 |
commit | edb6db90d2474b5807b2459b3380bf947c5866fa (patch) | |
tree | eab01244ec02148eb65d19ca1a4e43e384074265 | |
parent | 5b2859d8d6346674227b864de586be553a9ec79e (diff) | |
download | httpd-edb6db90d2474b5807b2459b3380bf947c5866fa.tar.gz |
SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
Merge r1796350 from trunk:
short-circuit on NULL
Submitted By: jchampion
Reviewed By: jchampion, wrowe, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799228 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | STATUS | 5 | ||||
-rw-r--r-- | server/util.c | 6 |
3 files changed, 9 insertions, 9 deletions
@@ -1,6 +1,13 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.33 + *) SECURITY: CVE-2017-7668 (cve.mitre.org) + The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a + bug in token list parsing, which allows ap_find_token() to search past + the end of its input string. By maliciously crafting a sequence of + request headers, an attacker may be able to cause a segmentation fault, + or to force ap_find_token() to return an incorrect value. + *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope. [Joe Orton] @@ -104,11 +104,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) core: Terminate token processing on NULL. - trunk patch: https://svn.apache.org/r1796350 - 2.2.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk . - +1: jchampion, wrowe, ylavic - *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t to ssl_io_filter_error(). [Yann Ylavic] trunk patch: https://svn.apache.org/r1796343 diff --git a/server/util.c b/server/util.c index 054cc1760d..9a805b69db 100644 --- a/server/util.c +++ b/server/util.c @@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok) s = (const unsigned char *)line; for (;;) { - /* find start of token, skip all stop characters, note NUL - * isn't a token stop, so we don't need to test for it - */ - while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { + /* find start of token, skip all stop characters */ + while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { ++s; } if (!*s) { |