You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by tr...@apache.org on 2010/10/01 13:43:26 UTC
svn commit: r1003494 - in /apr/apr-util/branches/1.3.x: CHANGES
buckets/apr_brigade.c
Author: trawick
Date: Fri Oct 1 11:43:26 2010
New Revision: 1003494
URL: http://svn.apache.org/viewvc?rev=1003494&view=rev
Log:
Merge r1003491 from trunk:
SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
Submitted by: sf
Reviewed by: trawick, jorton
Modified:
apr/apr-util/branches/1.3.x/CHANGES
apr/apr-util/branches/1.3.x/buckets/apr_brigade.c
Modified: apr/apr-util/branches/1.3.x/CHANGES
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/CHANGES?rev=1003494&r1=1003493&r2=1003494&view=diff
==============================================================================
--- apr/apr-util/branches/1.3.x/CHANGES [utf-8] (original)
+++ apr/apr-util/branches/1.3.x/CHANGES [utf-8] Fri Oct 1 11:43:26 2010
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with APR-util 1.3.10
+ *) SECURITY: CVE-2010-1623 (cve.mitre.org)
+ Fix a denial of service attack against apr_brigade_split_line().
+ [Stefan Fritsch]
+
*) SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause applications to crash while parsing specially-crafted
Modified: apr/apr-util/branches/1.3.x/buckets/apr_brigade.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/buckets/apr_brigade.c?rev=1003494&r1=1003493&r2=1003494&view=diff
==============================================================================
--- apr/apr-util/branches/1.3.x/buckets/apr_brigade.c (original)
+++ apr/apr-util/branches/1.3.x/buckets/apr_brigade.c Fri Oct 1 11:43:26 2010
@@ -331,7 +331,18 @@ APU_DECLARE(apr_status_t) apr_brigade_sp
return APR_SUCCESS;
}
APR_BUCKET_REMOVE(e);
- APR_BRIGADE_INSERT_TAIL(bbOut, e);
+ if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) {
+ APR_BRIGADE_INSERT_TAIL(bbOut, e);
+ }
+ else {
+ if (len > 0) {
+ rv = apr_brigade_write(bbOut, NULL, NULL, str, len);
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
+ }
+ apr_bucket_destroy(e);
+ }
readbytes += len;
/* We didn't find an APR_ASCII_LF within the maximum line length. */
if (readbytes >= maxbytes) {