You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/03/11 16:54:18 UTC
svn commit: r921908 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
modules/proxy/proxy_http.c
Author: trawick
Date: Thu Mar 11 15:54:18 2010
New Revision: 921908
URL: http://svn.apache.org/viewvc?rev=921908&view=rev
Log:
merge from trunk and 2.2.x, using existing published patch for 2.0.63:
*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
Joe Orton, Jim Jagielski]
Reviewed by: trawick, wrowe, rpluem
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=921908&r1=921907&r2=921908&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu Mar 11 15:54:18 2010
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.64
+ *) SECURITY: CVE-2008-2364 (cve.mitre.org)
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
+ Joe Orton, Jim Jagielski]
+
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=921908&r1=921907&r2=921908&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Thu Mar 11 15:54:18 2010
@@ -114,13 +114,6 @@ CURRENT RELEASE NOTES:
RELEASE SHOWSTOPPERS:
- * Commit /dist/httpd/patches/apply_to_2.0.63/CVE-2008-2364-patch-2.0.txt:
- SECURITY: CVE-2008-2364 (cve.mitre.org)
- mod_proxy_http: Better handling of excessive interim responses
- from origin server to prevent potential denial of service and high
- memory usage.
- +1: trawick, wrowe, rpluem
-
* Commit http://people.apache.org/~wrowe/CVE-2010-0434.patch
SECURITY: CVE-2010-0434 (cve.mitre.org)
note; simpler because we had not yet cleaned up input headers for subreq
Modified: httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=921908&r1=921907&r2=921908&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c (original)
+++ httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c Thu Mar 11 15:54:18 2010
@@ -1290,6 +1290,16 @@ static int addit_dammit(void *v, const c
return 1;
}
+/*
+ * Limit the number of interim respones we sent back to the client. Otherwise
+ * we suffer from a memory build up. Besides there is NO sense in sending back
+ * an unlimited number of interim responses to the client. Thus if we cross
+ * this limit send back a 502 (Bad Gateway).
+ */
+#ifndef AP_MAX_INTERIM_RESPONSES
+#define AP_MAX_INTERIM_RESPONSES 10
+#endif
+
static
apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
proxy_http_conn_t *p_conn,
@@ -1322,7 +1332,7 @@ apr_status_t ap_proxy_http_process_respo
*/
rp->proxyreq = PROXYREQ_RESPONSE;
- while (received_continue) {
+ while (received_continue && (received_continue <= AP_MAX_INTERIM_RESPONSES)) {
apr_brigade_cleanup(bb);
len = ap_getline(buffer, sizeof(buffer), rp, 0);
@@ -1440,7 +1450,9 @@ apr_status_t ap_proxy_http_process_respo
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(p, buf));
}
- ap_proxy_pre_http_request(origin,rp);
+ if (!ap_is_HTTP_INFO(r->status)) {
+ ap_proxy_pre_http_request(origin, rp);
+ }
/* handle Via header in response */
if (conf->viaopt != via_off && conf->viaopt != via_block) {
@@ -1486,6 +1498,7 @@ apr_status_t ap_proxy_http_process_respo
if ( r->status != HTTP_CONTINUE ) {
received_continue = 0;
} else {
+ received_continue++;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
"proxy: HTTP: received 100 CONTINUE");
}
@@ -1622,6 +1635,14 @@ apr_status_t ap_proxy_http_process_respo
}
}
+ /* See define of AP_MAX_INTERIM_RESPONSES for why */
+ if (received_continue > AP_MAX_INTERIM_RESPONSES) {
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+ apr_psprintf(p,
+ "Too many (%d) interim responses from origin server",
+ received_continue));
+ }
+
if ( conf->error_override ) {
/* the code above this checks for 'OK' which is what the hook expects */
if ( r->status == HTTP_OK )