diff options
| author | clement <clement@FreeBSD.org> | 2004-08-18 19:40:07 +0000 |
|---|---|---|
| committer | clement <clement@FreeBSD.org> | 2004-08-18 19:40:07 +0000 |
| commit | 49f92a1a1ecdc9ae485e91f16c5968cb42472124 (patch) | |
| tree | 15cec36757863beb9abe88a30ef8477a0846a44c /www/apache2/files | |
| parent | f9f546567af2b1c06eeb6c83dcc0667d0ea32298 (diff) | |
| download | FreeBSD-ports-49f92a1a1ecdc9ae485e91f16c5968cb42472124.zip FreeBSD-ports-49f92a1a1ecdc9ae485e91f16c5968cb42472124.tar.gz | |
- Backport security fixes in ssl_engine_io.c
* [SECURITY] mod_ssl: Fix potential input filter segfaults in
SPECULATIVE mode. (rollback handling for AP_MODE_SPECULATIVE)
"This issue has possible security implications; it's been assigned CVE
CAN-2004-0751 (cve.mitre.org)."
http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
* [SECURITY] mod_ssl: Fix potential infinite loop.
(potential infinite loop in ssl_io_input_getline if connection is
aborted without inctx->rc being set.)
http://issues.apache.org/bugzilla/show_bug.cgi?id=27945
http://issues.apache.org/bugzilla/show_bug.cgi?id=29690
Obtained from: Apache CVS (httpd-2.0 HEAD)
Diffstat (limited to 'www/apache2/files')
| -rw-r--r-- | www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c b/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c new file mode 100644 index 0000000..f29cfd5 --- /dev/null +++ b/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c @@ -0,0 +1,34 @@ +=================================================================== +RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v +retrieving revision 1.124 +retrieving revision 1.126 +diff -u -r1.124 -r1.126 +--- modules/ssl/ssl_engine_io.c 2004/07/13 18:11:22 1.124 ++++ modules/ssl/ssl_engine_io.c 2004/08/17 16:31:23 1.126 +@@ -564,8 +564,12 @@ + *len = bytes; + if (inctx->mode == AP_MODE_SPECULATIVE) { + /* We want to rollback this read. */ +- inctx->cbuf.value -= bytes; +- inctx->cbuf.length += bytes; ++ if (inctx->cbuf.length > 0) { ++ inctx->cbuf.value -= bytes; ++ inctx->cbuf.length += bytes; ++ } else { ++ char_buffer_write(&inctx->cbuf, buf, (int)bytes); ++ } + return APR_SUCCESS; + } + /* This could probably be *len == wanted, but be safe from stray +@@ -589,6 +593,10 @@ + while (1) { + + if (!inctx->filter_ctx->pssl) { ++ /* Ensure a non-zero error code is returned */ ++ if (inctx->rc == APR_SUCCESS) { ++ inctx->rc = APR_EGENERAL; ++ } + break; + } + + |
