You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by rp...@apache.org on 2011/09/01 12:25:45 UTC

svn commit: r1163985 - in /httpd/httpd/trunk: CHANGES modules/http/byterange_filter.c

Author: rpluem
Date: Thu Sep  1 10:25:45 2011
New Revision: 1163985

URL: http://svn.apache.org/viewvc?rev=1163985&view=rev
Log:
* Fix a regression in the CVE-2011-3192 byterange fix:
  Range: bytes=-1

  Resulted in the first two bytes delivered, not in the last one.

PR: 51748
Submitted by: low_priority <lowprio20 gmail.com>
Reviewed by: rpluem

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/http/byterange_filter.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1163985&r1=1163984&r2=1163985&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Sep  1 10:25:45 2011
@@ -1,6 +1,15 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) Fix a regression in the CVE-2011-3192 byterange fix.
+     PR 51748. [low_priority <lowprio20 gmail.com>]
+
+  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+     core: Fix handling of byte-range requests to use less memory, to avoid
+     denial of service. If the sum of all ranges in a request is larger than
+     the original file, ignore the ranges and send the complete file.
+     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
+
   *) core: Add MaxRanges directive to control the number of ranges permitted
      before returning the entire resource, with a default limit of 200. 
      [Eric Covener]

Modified: httpd/httpd/trunk/modules/http/byterange_filter.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?rev=1163985&r1=1163984&r2=1163985&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
+++ httpd/httpd/trunk/modules/http/byterange_filter.c Thu Sep  1 10:25:45 2011
@@ -544,7 +544,7 @@ static int ap_set_byterange(request_rec 
             return 0;
         }
 
-        if (dash == range) {
+        if (dash == cur) {
             /* In the form "-5" */
             if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) {
                 return 0;