Re: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/core_filters.c

Tue, 07 Jul 2009 10:15:18 -0700 

[email protected] writes:

> Author: trawick
> Date: Mon Jul  6 12:03:20 2009
> New Revision: 791454
>
> URL: http://svn.apache.org/viewvc?rev=791454&view=rev
> Log:
> SECURITY: CVE-2009-1891 (cve.mitre.org)
> Fix a potential Denial-of-Service attack against mod_deflate or other 
> modules, by forcing the server to consume CPU time in compressing a 
> large file after a client disconnects.  [Joe Orton, Ruediger Pluem]
>
> Submitted by: jorton, rpluem
> Reviewed by:  jim, trawick
>
>
> Modified:
>     httpd/httpd/branches/2.2.x/CHANGES
>     httpd/httpd/branches/2.2.x/STATUS
>     httpd/httpd/branches/2.2.x/server/core_filters.c

Would anyone care to backport this to 2.0.x?  The changes appear to
apply trivially to the core_output_filter() in server/core.c.  I'll
attach the patch:


Index: CHANGES
===================================================================
--- CHANGES     (revision 791478)
+++ CHANGES     (working copy)
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.64
 
+  *) SECURITY: CVE-2009-1891 (cve.mitre.org)
+     Fix a potential Denial-of-Service attack against mod_deflate or other 
+     modules, by forcing the server to consume CPU time in compressing a 
+     large file after a client disconnects.  PR 39605.
+     [Joe Orton, Ruediger Pluem]
+
   *) SECURITY: CVE-2008-2939 (cve.mitre.org)
      mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
      the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
Index: server/core.c
===================================================================
--- server/core.c       (revision 791906)
+++ server/core.c       (working copy)
@@ -3969,6 +3969,12 @@
     apr_read_type_e eblock = APR_NONBLOCK_READ;
     apr_pool_t *input_pool = b->p;
 
+    /* Fail quickly if the connection has already been aborted. */
+    if (c->aborted) {
+        apr_brigade_cleanup(b);
+        return APR_ECONNABORTED;
+    }
+
     if (ctx == NULL) {
         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
         net->out_ctx = ctx;
@@ -4336,12 +4342,9 @@
             /* No need to check for SUCCESS, we did that above. */
             if (!APR_STATUS_IS_EAGAIN(rv)) {
                 c->aborted = 1;
+                return APR_ECONNABORTED;
             }
 
-            /* The client has aborted, but the request was successful. We
-             * will report success, and leave it to the access and error
-             * logs to note that the connection was aborted.
-             */
             return APR_SUCCESS;
         }
 


-- 
Dan Poirier <[email protected]>

Reply via email to