httpd/CVE-2020-11984.patch

From 0c543e3f5b3881d515d6235f152aacaaaf3aba72 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 24 Jul 2020 09:35:25 +0000
Subject: [PATCH] Merge r1880205, r1880214 from trunk:

mod_proxy_uwsgi: Error out on HTTP header larger than 16K

The uwsgi protocol does not let us serialize more than 16K of HTTP header,
so fail early with 500 if it happens.


Follow up to r1880205, APLOGNO().


Submitted by: ylavic
Reviewed by: ylavic, covener, icing


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1880251 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/proxy/mod_proxy_uwsgi.c | 13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index 2ac2a95d2ef..0209ac4062e 100644
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -136,7 +136,7 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
     int j;
 
     apr_size_t headerlen = 4;
-    apr_uint16_t pktsize, keylen, vallen;
+    apr_size_t pktsize, keylen, vallen;
     const char *script_name;
     const char *path_info;
     const char *auth;
@@ -178,6 +178,15 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
         headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
     }
 
+    pktsize = headerlen - 4;
+    if (pktsize > APR_UINT16_MAX) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10259)
+                      "can't send headers to %s:%u: packet size too "
+                      "large (%" APR_SIZE_T_FMT ")",
+                      conn->hostname, conn->port, pktsize);
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+
     ptr = buf = apr_palloc(r->pool, headerlen);
 
     ptr += 4;
@@ -196,8 +205,6 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
         ptr += vallen;
     }
 
-    pktsize = headerlen - 4;
-
     buf[0] = 0;
     buf[1] = (apr_byte_t) (pktsize & 0xff);
     buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);
CVE-2020-9490 CVE-2020-11984 CVE-2020-11993 2020-09-27 14:58:52 +08:00			`From 0c543e3f5b3881d515d6235f152aacaaaf3aba72 Mon Sep 17 00:00:00 2001`
			`From: Yann Ylavic <ylavic@apache.org>`
			`Date: Fri, 24 Jul 2020 09:35:25 +0000`
			`Subject: [PATCH] Merge r1880205, r1880214 from trunk:`

			`mod_proxy_uwsgi: Error out on HTTP header larger than 16K`

			`The uwsgi protocol does not let us serialize more than 16K of HTTP header,`
			`so fail early with 500 if it happens.`


			`Follow up to r1880205, APLOGNO().`


			`Submitted by: ylavic`
			`Reviewed by: ylavic, covener, icing`


			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1880251 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`modules/proxy/mod_proxy_uwsgi.c \| 13 ++++++++++---`
			`1 files changed, 10 insertions(+), 3 deletions(-)`

			`diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c`
			`index 2ac2a95d2ef..0209ac4062e 100644`
			`--- a/modules/proxy/mod_proxy_uwsgi.c`
			`+++ b/modules/proxy/mod_proxy_uwsgi.c`
			`@@ -136,7 +136,7 @@ static int uwsgi_send_headers(request_rec r, proxy_conn_rec conn)`
			`int j;`

			`apr_size_t headerlen = 4;`
			`- apr_uint16_t pktsize, keylen, vallen;`
			`+ apr_size_t pktsize, keylen, vallen;`
			`const char *script_name;`
			`const char *path_info;`
			`const char *auth;`
			`@@ -178,6 +178,15 @@ static int uwsgi_send_headers(request_rec r, proxy_conn_rec conn)`
			`headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);`
			`}`

			`+ pktsize = headerlen - 4;`
			`+ if (pktsize > APR_UINT16_MAX) {`
			`+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10259)`
			`+ "can't send headers to %s:%u: packet size too "`
			`+ "large (%" APR_SIZE_T_FMT ")",`
			`+ conn->hostname, conn->port, pktsize);`
			`+ return HTTP_INTERNAL_SERVER_ERROR;`
			`+ }`
			`+`
			`ptr = buf = apr_palloc(r->pool, headerlen);`

			`ptr += 4;`
			`@@ -196,8 +205,6 @@ static int uwsgi_send_headers(request_rec r, proxy_conn_rec conn)`
			`ptr += vallen;`
			`}`

			`- pktsize = headerlen - 4;`
			`-`
			`buf[0] = 0;`
			`buf[1] = (apr_byte_t) (pktsize & 0xff);`
			`buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);`