Re: svn commit: r1931148 - httpd/httpd/trunk/modules/dav/main

Wed, 07 Jan 2026 00:08:59 -0800 


On 1/6/26 12:02 PM, [email protected] wrote:
> Author: jorton
> Date: Tue Jan  6 11:02:20 2026
> New Revision: 1931148
> 
> Log:
> mod_dav: Fix security issue in unreleased MS-WDV support:
> 
> * modules/dav/main/ms_wdv.c (mswdv_combined_proppatch):
>   The MS-WDV combined PROPPATCH handler reads a 16-byte hex length
>   prefix from the request body and uses it directly for memory
>   allocation without bounds checking. An attacker can specify an
>   extremely large value to trigger OOM and crash the worker process.
> 
>   This patch validates the parsed length against LimitXMLRequestBody
>   and APR_SIZE_MAX before allocation.
> 
> Reported by: Pavel Kohout, Aisle Research, www.aisle.com
> Submitted by: Pavel Kohout, jorton
> Github: closes #592
> 
> Modified:
>    httpd/httpd/trunk/modules/dav/main/ms_wdv.c
> 
> Modified: httpd/httpd/trunk/modules/dav/main/ms_wdv.c
> ==============================================================================
> --- httpd/httpd/trunk/modules/dav/main/ms_wdv.c       Tue Jan  6 10:59:21 
> 2026        (r1931147)
> +++ httpd/httpd/trunk/modules/dav/main/ms_wdv.c       Tue Jan  6 11:02:20 
> 2026        (r1931148)
> @@ -6,6 +6,7 @@
>  #include "http_protocol.h"
>  #include "http_request.h"
>  #include "http_log.h"
> +#include "http_core.h"
>  
>  #include "mod_dav.h"
>  
> @@ -589,7 +590,7 @@ static dav_error *mswdv_combined_proppat
>      apr_bucket_brigade *bb;
>      apr_status_t status;
>      apr_size_t len = 16;
> -    apr_off_t proppatch_len;
> +    apr_off_t proppatch_len, limit;
>      char proppatch_len_str[16 + 1];
>      char *proppatch_data;
>  
> @@ -618,6 +619,17 @@ static dav_error *mswdv_combined_proppat
>          return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, status,
>                               "Bad PROPPATCH part length");
>  
> +    /* Validate PROPPATCH length against configured limits */
> +    limit = ap_get_limit_xml_body(r);
> +    if (limit > 0 && proppatch_len > limit) {
> +        return dav_new_error(r->pool, HTTP_REQUEST_ENTITY_TOO_LARGE, 0, 0,
> +                             "PROPPATCH part length exceeds configured 
> limit");
> +    }
> +    if (proppatch_len <= 0 || proppatch_len > (apr_off_t)APR_SIZE_MAX) {

How can proppatch_len be larger than APR_SIZE_MAX?

IMHO the maximum value of proppatch_len being an apr_off_t is 
9,223,372,036,854,775,807
APR_SIZE_MAX is the maximum value of apr_size_t which is 
18,446,744,073,709,551,615.
Or should this guard against cases of 32 bit systems with _FILE_OFFSET_BITS=64 
or
_LARGEFILE64_SOURCE set where apr_off_t is 64 bit and apr_size_t 32 bit? If yes 
it is
probably worth documenting this in a comment.

> +        return dav_new_error(r->pool, HTTP_REQUEST_ENTITY_TOO_LARGE, 0, 0,
> +                             "PROPPATCH part length invalid or too large");
> +    }
> +
>      apr_brigade_destroy(bb);
>  
>      bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
> 
> 

Regards

RĂ¼diger























					Reply via email to