httpd/CVE-2019-0197.patch

From 610b78f35a5dd12f953aac23d867c890c92c46d1 Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Wed, 13 Mar 2019 12:30:20 +0000
Subject: [PATCH] Merge r1852038, r1852101 from trunk:

mod_http2: enable re-use of slave connections again.

mod_http2: fixed slave connection keepalives counter.

Submitted by: icing
Reviewed by: icing, ylavic, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855406 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/http2/h2_conn.c | 14 +++++++++-----
 modules/http2/h2_mplx.c |  8 +++++++-
 modules/http2/h2_task.c |  3 +--
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c
index f7f81be..dc2081e 100644
--- a/modules/http2/h2_conn.c
+++ b/modules/http2/h2_conn.c
@@ -305,6 +305,10 @@ conn_rec *h2_slave_create(conn_rec *master, int slave_id, apr_pool_t *parent)
     c->notes                  = apr_table_make(pool, 5);
     c->input_filters          = NULL;
     c->output_filters         = NULL;
+    c->keepalives             = 0;
+#if AP_MODULE_MAGIC_AT_LEAST(20180903, 1)
+    c->filter_conn_ctx        = NULL;
+#endif
     c->bucket_alloc           = apr_bucket_alloc_create(pool);
     c->data_in_input_filters  = 0;
     c->data_in_output_filters = 0;
@@ -332,16 +336,15 @@ conn_rec *h2_slave_create(conn_rec *master, int slave_id, apr_pool_t *parent)
         ap_set_module_config(c->conn_config, mpm, cfg);
     }
 
-    ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, 
-                  "h2_stream(%ld-%d): created slave", master->id, slave_id);
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, 
+                  "h2_slave(%s): created", c->log_id);
     return c;
 }
 
 void h2_slave_destroy(conn_rec *slave)
 {
-    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, slave,
-                  "h2_stream(%s): destroy slave", 
-                  apr_table_get(slave->notes, H2_TASK_ID_NOTE));
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, slave,
+                  "h2_slave(%s): destroy", slave->log_id);
     slave->sbh = NULL;
     apr_pool_destroy(slave->pool);
 }
@@ -365,6 +368,7 @@ apr_status_t h2_slave_run_pre_connection(conn_rec *slave, apr_socket_t *csd)
 	slave->keepalive = AP_CONN_CLOSE;
         return ap_run_pre_connection(slave, csd);
     }
+    ap_assert(slave->output_filters);
     return APR_SUCCESS;
 }
 
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index 05667ab..29f040c 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -327,7 +327,8 @@ static int stream_destroy_iter(void *ctx, void *val)
                                && !task->rst_error);
             }
             
-            if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {
+            task->c = NULL;
+            if (reuse_slave) {
                 h2_beam_log(task->output.beam, m->c, APLOG_DEBUG, 
                             APLOGNO(03385) "h2_task_destroy, reuse slave");    
                 h2_task_destroy(task);
@@ -437,6 +438,8 @@ void h2_mplx_release_and_join(h2_mplx *m, apr_thread_cond_t *wait)
     apr_status_t status;
     int i, wait_secs = 60;
 
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c,
+                  "h2_mplx(%ld): start release", m->id);
     /* How to shut down a h2 connection:
      * 0. abort and tell the workers that no more tasks will come from us */
     m->aborted = 1;
@@ -973,6 +976,9 @@ static apr_status_t unschedule_slow_tasks(h2_mplx *m)
      */
     n = (m->tasks_active - m->limit_active - (int)h2_ihash_count(m->sredo));
     while (n > 0 && (stream = get_latest_repeatable_unsubmitted_stream(m))) {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c, 
+                      "h2_mplx(%s): unschedule, resetting task for redo later",
+                      stream->task->id);
         h2_task_rst(stream->task, H2_ERR_CANCEL);
         h2_ihash_add(m->sredo, stream);
         --n;
diff --git a/modules/http2/h2_task.c b/modules/http2/h2_task.c
index 86fb026..f4c875c 100644
--- a/modules/http2/h2_task.c
+++ b/modules/http2/h2_task.c
@@ -504,7 +504,7 @@ static int h2_task_pre_conn(conn_rec* c, void *arg)
     (void)arg;
     if (h2_ctx_is_task(ctx)) {
         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
-                      "h2_h2, pre_connection, found stream task");
+                      "h2_slave(%s), pre_connection, adding filters", c->log_id);
         ap_add_input_filter("H2_SLAVE_IN", NULL, NULL, c);
         ap_add_output_filter("H2_PARSE_H1", NULL, NULL, c);
         ap_add_output_filter("H2_SLAVE_OUT", NULL, NULL, c);
@@ -545,7 +545,6 @@ h2_task *h2_task_create(conn_rec *slave, int stream_id,
 void h2_task_destroy(h2_task *task)
 {
     if (task->output.beam) {
-        h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");
         h2_beam_destroy(task->output.beam);
         task->output.beam = NULL;
     }
-- 
1.8.3.1
httpd: fix CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 CVE-2019-0196 CVE-2019-0197 2020-04-15 16:59:27 +08:00			`From 610b78f35a5dd12f953aac23d867c890c92c46d1 Mon Sep 17 00:00:00 2001`
			`From: Jim Jagielski <jim@apache.org>`
			`Date: Wed, 13 Mar 2019 12:30:20 +0000`
			`Subject: [PATCH] Merge r1852038, r1852101 from trunk:`

			`mod_http2: enable re-use of slave connections again.`

			`mod_http2: fixed slave connection keepalives counter.`

			`Submitted by: icing`
			`Reviewed by: icing, ylavic, jim`

			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855406 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`modules/http2/h2_conn.c \| 14 +++++++++-----`
			`modules/http2/h2_mplx.c \| 8 +++++++-`
			`modules/http2/h2_task.c \| 3 +--`
			`3 files changed, 17 insertions(+), 8 deletions(-)`

			`diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c`
			`index f7f81be..dc2081e 100644`
			`--- a/modules/http2/h2_conn.c`
			`+++ b/modules/http2/h2_conn.c`
			`@@ -305,6 +305,10 @@ conn_rec h2_slave_create(conn_rec master, int slave_id, apr_pool_t *parent)`
			`c->notes = apr_table_make(pool, 5);`
			`c->input_filters = NULL;`
			`c->output_filters = NULL;`
			`+ c->keepalives = 0;`
			`+#if AP_MODULE_MAGIC_AT_LEAST(20180903, 1)`
			`+ c->filter_conn_ctx = NULL;`
			`+#endif`
			`c->bucket_alloc = apr_bucket_alloc_create(pool);`
			`c->data_in_input_filters = 0;`
			`c->data_in_output_filters = 0;`
			`@@ -332,16 +336,15 @@ conn_rec h2_slave_create(conn_rec master, int slave_id, apr_pool_t *parent)`
			`ap_set_module_config(c->conn_config, mpm, cfg);`
			`}`

			`- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,`
			`- "h2_stream(%ld-%d): created slave", master->id, slave_id);`
			`+ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,`
			`+ "h2_slave(%s): created", c->log_id);`
			`return c;`
			`}`

			`void h2_slave_destroy(conn_rec *slave)`
			`{`
			`- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, slave,`
			`- "h2_stream(%s): destroy slave",`
			`- apr_table_get(slave->notes, H2_TASK_ID_NOTE));`
			`+ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, slave,`
			`+ "h2_slave(%s): destroy", slave->log_id);`
			`slave->sbh = NULL;`
			`apr_pool_destroy(slave->pool);`
			`}`
			`@@ -365,6 +368,7 @@ apr_status_t h2_slave_run_pre_connection(conn_rec slave, apr_socket_t csd)`
			`slave->keepalive = AP_CONN_CLOSE;`
			`return ap_run_pre_connection(slave, csd);`
			`}`
			`+ ap_assert(slave->output_filters);`
			`return APR_SUCCESS;`
			`}`

			`diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c`
			`index 05667ab..29f040c 100644`
			`--- a/modules/http2/h2_mplx.c`
			`+++ b/modules/http2/h2_mplx.c`
			`@@ -327,7 +327,8 @@ static int stream_destroy_iter(void ctx, void val)`
			`&& !task->rst_error);`
			`}`

			`- if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {`
			`+ task->c = NULL;`
			`+ if (reuse_slave) {`
			`h2_beam_log(task->output.beam, m->c, APLOG_DEBUG,`
			`APLOGNO(03385) "h2_task_destroy, reuse slave");`
			`h2_task_destroy(task);`
			`@@ -437,6 +438,8 @@ void h2_mplx_release_and_join(h2_mplx m, apr_thread_cond_t wait)`
			`apr_status_t status;`
			`int i, wait_secs = 60;`

			`+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c,`
			`+ "h2_mplx(%ld): start release", m->id);`
			`/* How to shut down a h2 connection:`
			`* 0. abort and tell the workers that no more tasks will come from us */`
			`m->aborted = 1;`
			`@@ -973,6 +976,9 @@ static apr_status_t unschedule_slow_tasks(h2_mplx *m)`
			`*/`
			`n = (m->tasks_active - m->limit_active - (int)h2_ihash_count(m->sredo));`
			`while (n > 0 && (stream = get_latest_repeatable_unsubmitted_stream(m))) {`
			`+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c,`
			`+ "h2_mplx(%s): unschedule, resetting task for redo later",`
			`+ stream->task->id);`
			`h2_task_rst(stream->task, H2_ERR_CANCEL);`
			`h2_ihash_add(m->sredo, stream);`
			`--n;`
			`diff --git a/modules/http2/h2_task.c b/modules/http2/h2_task.c`
			`index 86fb026..f4c875c 100644`
			`--- a/modules/http2/h2_task.c`
			`+++ b/modules/http2/h2_task.c`
			`@@ -504,7 +504,7 @@ static int h2_task_pre_conn(conn_rec* c, void *arg)`
			`(void)arg;`
			`if (h2_ctx_is_task(ctx)) {`
			`ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,`
			`- "h2_h2, pre_connection, found stream task");`
			`+ "h2_slave(%s), pre_connection, adding filters", c->log_id);`
			`ap_add_input_filter("H2_SLAVE_IN", NULL, NULL, c);`
			`ap_add_output_filter("H2_PARSE_H1", NULL, NULL, c);`
			`ap_add_output_filter("H2_SLAVE_OUT", NULL, NULL, c);`
			`@@ -545,7 +545,6 @@ h2_task h2_task_create(conn_rec slave, int stream_id,`
			`void h2_task_destroy(h2_task *task)`
			`{`
			`if (task->output.beam) {`
			`- h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");`
			`h2_beam_destroy(task->output.beam);`
			`task->output.beam = NULL;`
			`}`
			`--`
			`1.8.3.1`