SECURITY: CVE-2017-7668 (cve.mitre.org)

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Merge r1796350 from trunk: short-circuit on NULL Submitted By: jchampion Reviewed By: jchampion, wrowe, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799228 13f79535-47bb-0310-9956-ffa450edef68
author: Eric Covener <covener@apache.org> 2017-06-19 16:48:42 +0000
committer: Eric Covener <covener@apache.org> 2017-06-19 16:48:42 +0000
commit: edb6db90d2474b5807b2459b3380bf947c5866fa (patch)
tree: eab01244ec02148eb65d19ca1a4e43e384074265
parent: 5b2859d8d6346674227b864de586be553a9ec79e (diff)
download: httpd-edb6db90d2474b5807b2459b3380bf947c5866fa.tar.gz
3 files changed, 9 insertions, 9 deletions
diff --git a/CHANGES b/CHANGES
index 7a950e52a6..9fe328d76c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.33
 
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+
   *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
      [Joe Orton]
 
diff --git a/STATUS b/STATUS
index 91ca1e2125..3c741568b9 100644
--- a/STATUS
+++ b/STATUS
@@ -104,11 +104,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: Terminate token processing on NULL.
-     trunk patch: https://svn.apache.org/r1796350
-     2.2.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk .
-     +1: jchampion, wrowe, ylavic
-
   *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
      to ssl_io_filter_error(). [Yann Ylavic]
      trunk patch: https://svn.apache.org/r1796343
diff --git a/server/util.c b/server/util.c
index 054cc1760d..9a805b69db 100644
--- a/server/util.c
+++ b/server/util.c
@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
 
     s = (const unsigned char *)line;
     for (;;) {
-        /* find start of token, skip all stop characters, note NUL
-         * isn't a token stop, so we don't need to test for it
-         */
-        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+        /* find start of token, skip all stop characters */
+        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
             ++s;
         }
         if (!*s) {
author	Eric Covener <covener@apache.org>	2017-06-19 16:48:42 +0000
committer	Eric Covener <covener@apache.org>	2017-06-19 16:48:42 +0000
commit	edb6db90d2474b5807b2459b3380bf947c5866fa (patch)
tree	eab01244ec02148eb65d19ca1a4e43e384074265
parent	5b2859d8d6346674227b864de586be553a9ec79e (diff)
download	httpd-edb6db90d2474b5807b2459b3380bf947c5866fa.tar.gz