Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
apache2.34448
apache2-CVE-2016-8740.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-CVE-2016-8740.patch of Package apache2.34448
From 29c63b786ae028d82405421585e91283c8fa0da3 Mon Sep 17 00:00:00 2001 From: Stefan Eissing <icing@apache.org> Date: Sun, 4 Dec 2016 22:06:30 +0000 Subject: [PATCH] SECURITY: CVE-2016-8740 mod_http2: properly crafted, endless HTTP/2 CONTINUATION frames could be used to exhaust all server's memory. Reported by: Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1772576 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 +++ modules/http2/h2_session.c | 11 +++++++-- modules/http2/h2_stream.c | 61 +++++++++++++++++++++++++--------------------- 3 files changed, 46 insertions(+), 30 deletions(-) Index: httpd-2.4.23/modules/http2/h2_session.c =================================================================== --- httpd-2.4.23.orig/modules/http2/h2_session.c 2016-06-22 15:18:13.000000000 +0200 +++ httpd-2.4.23/modules/http2/h2_session.c 2016-12-07 20:27:55.599486174 +0100 @@ -405,7 +405,7 @@ static int on_header_cb(nghttp2_session stream = get_stream(session, frame->hd.stream_id); if (!stream) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, session->c, + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(02920) "h2_session: stream(%ld-%d): on_header unknown stream", session->id, (int)frame->hd.stream_id); @@ -414,7 +414,14 @@ static int on_header_cb(nghttp2_session status = h2_stream_add_header(stream, (const char *)name, namelen, (const char *)value, valuelen); - if (status != APR_SUCCESS && !stream->response) { + if (status == APR_ECONNRESET) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, session->c, + "h2-stream(%ld-%d): on_header, reset stream", + session->id, stream->id); + nghttp2_submit_rst_stream(ngh2, NGHTTP2_FLAG_NONE, stream->id, + NGHTTP2_INTERNAL_ERROR); + } + else if (status != APR_SUCCESS && !stream->response) { return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; } return 0; Index: httpd-2.4.23/modules/http2/h2_stream.c =================================================================== --- httpd-2.4.23.orig/modules/http2/h2_stream.c 2016-12-07 20:22:44.942225149 +0100 +++ httpd-2.4.23/modules/http2/h2_stream.c 2016-12-07 20:28:25.159987057 +0100 @@ -289,45 +289,50 @@ apr_status_t h2_stream_add_header(h2_str const char *name, size_t nlen, const char *value, size_t vlen) { + int error = 0; AP_DEBUG_ASSERT(stream); - if (!stream->response) { - if (name[0] == ':') { - if ((vlen) > stream->session->s->limit_req_line) { - /* pseudo header: approximation of request line size check */ - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, - "h2_stream(%ld-%d): pseudo header %s too long", - stream->session->id, stream->id, name); - return h2_stream_set_error(stream, - HTTP_REQUEST_URI_TOO_LARGE); - } - } - else if ((nlen + 2 + vlen) > stream->session->s->limit_req_fieldsize) { - /* header too long */ + if (stream->response) { + return APR_EINVAL; + } + ++stream->request_headers_added; + if (name[0] == ':') { + if ((vlen) > stream->session->s->limit_req_line) { + /* pseudo header: approximation of request line size check */ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, - "h2_stream(%ld-%d): header %s too long", + "h2_stream(%ld-%d): pseudo header %s too long", stream->session->id, stream->id, name); - return h2_stream_set_error(stream, - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); + error = HTTP_REQUEST_URI_TOO_LARGE; } - - if (name[0] != ':') { - ++stream->request_headers_added; - if (stream->request_headers_added - > stream->session->s->limit_req_fields) { - /* too many header lines */ - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, - "h2_stream(%ld-%d): too many header lines", - stream->session->id, stream->id); - return h2_stream_set_error(stream, - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); - } + } + else if ((nlen + 2 + vlen) > stream->session->s->limit_req_fieldsize) { + /* header too long */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, + "h2_stream(%ld-%d): header %s too long", + stream->session->id, stream->id, name); + error = HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE; + } + + if (stream->request_headers_added + > stream->session->s->limit_req_fields + 4) { + /* too many header lines, include 4 pseudo headers */ + if (stream->request_headers_added + > stream->session->s->limit_req_fields + 4 + 100) { + /* yeah, right */ + return APR_ECONNRESET; } + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, stream->session->c, + "h2_stream(%ld-%d): too many header lines", + stream->session->id, stream->id); + error = HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE; } if (h2_stream_is_scheduled(stream)) { return h2_request_add_trailer(stream->request, stream->pool, name, nlen, value, vlen); } + else if (error) { + return h2_stream_set_error(stream, error); + } else { if (!input_open(stream)) { return APR_ECONNRESET;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor