You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2011/09/01 12:25:45 UTC
svn commit: r1163985 - in /httpd/httpd/trunk: CHANGES
modules/http/byterange_filter.c
Author: rpluem
Date: Thu Sep 1 10:25:45 2011
New Revision: 1163985
URL: http://svn.apache.org/viewvc?rev=1163985&view=rev
Log:
* Fix a regression in the CVE-2011-3192 byterange fix:
Range: bytes=-1
Resulted in the first two bytes delivered, not in the last one.
PR: 51748
Submitted by: low_priority <lowprio20 gmail.com>
Reviewed by: rpluem
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/http/byterange_filter.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1163985&r1=1163984&r2=1163985&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Sep 1 10:25:45 2011
@@ -1,6 +1,15 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.15
+ *) Fix a regression in the CVE-2011-3192 byterange fix.
+ PR 51748. [low_priority <lowprio20 gmail.com>]
+
+ *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
+
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener]
Modified: httpd/httpd/trunk/modules/http/byterange_filter.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?rev=1163985&r1=1163984&r2=1163985&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
+++ httpd/httpd/trunk/modules/http/byterange_filter.c Thu Sep 1 10:25:45 2011
@@ -544,7 +544,7 @@ static int ap_set_byterange(request_rec
return 0;
}
- if (dash == range) {
+ if (dash == cur) {
/* In the form "-5" */
if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) {
return 0;