On 1/6/26 12:02 PM, [email protected] wrote: > Author: jorton > Date: Tue Jan 6 11:02:20 2026 > New Revision: 1931148 > > Log: > mod_dav: Fix security issue in unreleased MS-WDV support: > > * modules/dav/main/ms_wdv.c (mswdv_combined_proppatch): > The MS-WDV combined PROPPATCH handler reads a 16-byte hex length > prefix from the request body and uses it directly for memory > allocation without bounds checking. An attacker can specify an > extremely large value to trigger OOM and crash the worker process. > > This patch validates the parsed length against LimitXMLRequestBody > and APR_SIZE_MAX before allocation. > > Reported by: Pavel Kohout, Aisle Research, www.aisle.com > Submitted by: Pavel Kohout, jorton > Github: closes #592 > > Modified: > httpd/httpd/trunk/modules/dav/main/ms_wdv.c > > Modified: httpd/httpd/trunk/modules/dav/main/ms_wdv.c > ============================================================================== > --- httpd/httpd/trunk/modules/dav/main/ms_wdv.c Tue Jan 6 10:59:21 > 2026 (r1931147) > +++ httpd/httpd/trunk/modules/dav/main/ms_wdv.c Tue Jan 6 11:02:20 > 2026 (r1931148) > @@ -6,6 +6,7 @@ > #include "http_protocol.h" > #include "http_request.h" > #include "http_log.h" > +#include "http_core.h" > > #include "mod_dav.h" > > @@ -589,7 +590,7 @@ static dav_error *mswdv_combined_proppat > apr_bucket_brigade *bb; > apr_status_t status; > apr_size_t len = 16; > - apr_off_t proppatch_len; > + apr_off_t proppatch_len, limit; > char proppatch_len_str[16 + 1]; > char *proppatch_data; > > @@ -618,6 +619,17 @@ static dav_error *mswdv_combined_proppat > return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, status, > "Bad PROPPATCH part length"); > > + /* Validate PROPPATCH length against configured limits */ > + limit = ap_get_limit_xml_body(r); > + if (limit > 0 && proppatch_len > limit) { > + return dav_new_error(r->pool, HTTP_REQUEST_ENTITY_TOO_LARGE, 0, 0, > + "PROPPATCH part length exceeds configured > limit"); > + } > + if (proppatch_len <= 0 || proppatch_len > (apr_off_t)APR_SIZE_MAX) { How can proppatch_len be larger than APR_SIZE_MAX? IMHO the maximum value of proppatch_len being an apr_off_t is 9,223,372,036,854,775,807 APR_SIZE_MAX is the maximum value of apr_size_t which is 18,446,744,073,709,551,615. Or should this guard against cases of 32 bit systems with _FILE_OFFSET_BITS=64 or _LARGEFILE64_SOURCE set where apr_off_t is 64 bit and apr_size_t 32 bit? If yes it is probably worth documenting this in a comment. > + return dav_new_error(r->pool, HTTP_REQUEST_ENTITY_TOO_LARGE, 0, 0, > + "PROPPATCH part length invalid or too large"); > + } > + > apr_brigade_destroy(bb); > > bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); > > Regards RĂ¼diger
