packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!62 fix Integer overflow in ap_timeout_parameter_parse

Browse Source 
From: @eaglegai
Reviewed-by: @zengwefeng
Signed-off-by: @zengwefeng
This commit is contained in:
openeuler-ci-bot 2021-11-05 09:29:02 +00:00 committed by Gitee
commit 2e5ba1ef39
3 changed files with 155 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch Normal file
View File

@ -0,0 +1,74 @@
From 9226cbc6b92492615856b567ac7f7557f196634b Mon Sep 17 00:00:00 2001
From: Christophe Jaillet <jailletc36@apache.org>
Date: Tue, 10 Aug 2021 18:49:20 +0000
Subject: [PATCH] Follow up to 1892038, 1892063.
Improve fix to please a fuzzer which reports:
util.c:2713:26: runtime error: signed integer overflow:
9999999999999999 * 1000 cannot be represented in type 'long'
Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.
While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892185 13f79535-47bb-0310-9956-ffa450edef68
---
server/util.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/server/util.c b/server/util.c
index 4a35eac6b0c..d87417f7621 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2668,6 +2668,7 @@ AP_DECLARE(char *) ap_append_pid(apr_pool_t *p, const char *string,
* in timeout_parameter.
* @return Status value indicating whether the parsing was successful or not.
*/
+#define CHECK_OVERFLOW(a, b) if (a > b) return APR_ERANGE
AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
const char *timeout_parameter,
apr_interval_time_t *timeout,
@@ -2697,10 +2698,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
switch (*time_str) {
/* Time is in seconds */
case 's':
+ CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
check = apr_time_from_sec(tout);
break;
+ /* Time is in hours */
case 'h':
- /* Time is in hours */
+ CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
check = apr_time_from_sec(tout * 3600);
break;
case 'm':
@@ -2710,10 +2713,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
switch (*(++time_str)) {
/* Time is in milliseconds */
case 's':
- check = tout * 1000;
+ CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
+ check = apr_time_from_msec(tout);
break;
/* Time is in minutes */
case 'i':
+ CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
check = apr_time_from_sec(tout * 60);
break;
default:
@@ -2724,12 +2729,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
default:
return APR_EGENERAL;
}
- if (check > APR_INT64_MAX || check < 0) {
- return APR_ERANGE;
- }
- *timeout = (apr_interval_time_t) check;
+
+ *timeout = (apr_interval_time_t)check;
return APR_SUCCESS;
}
+#undef CHECK_OVERFLOW
AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
{

71
backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch Normal file
View File

@ -0,0 +1,71 @@
From 7ea44d0402334e40f31730d889c5ad60e158692d Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Fri, 6 Aug 2021 13:10:45 +0000
Subject: [PATCH] fix int overflow in ap_timeout_parameter_parse
signed integer overflow in ap_timeout_parameter_parse under fuzzing
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892038 13f79535-47bb-0310-9956-ffa450edef68
---
server/util.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/server/util.c b/server/util.c
index 2d7708ae851..6f9dbd4d657 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2676,6 +2676,7 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
char *endp;
const char *time_str;
apr_int64_t tout;
+ apr_uint64_t check;
tout = apr_strtoi64(timeout_parameter, &endp, 10);
if (errno) {
@@ -2688,14 +2689,18 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
time_str = endp;
}
+ if (tout < 0) {
+ return APR_ERANGE;
+ }
+
switch (*time_str) {
/* Time is in seconds */
case 's':
- *timeout = (apr_interval_time_t) apr_time_from_sec(tout);
+ check = apr_time_from_sec(tout);
break;
case 'h':
/* Time is in hours */
- *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600);
+ check = apr_time_from_sec(tout * 3600);
break;
case 'm':
switch (*(++time_str)) {
@@ -2705,11 +2710,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
switch (*(++time_str)) {
/* Time is in milliseconds */
case 's':
- *timeout = (apr_interval_time_t) tout * 1000;
+ check = tout * 1000;
break;
/* Time is in minutes */
case 'i':
- *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60);
+ check = apr_time_from_sec(tout * 60);
break;
default:
return APR_EGENERAL;
@@ -2719,6 +2724,10 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
default:
return APR_EGENERAL;
}
+ if (check > APR_INT64_MAX || check < 0) {
+ return APR_ERANGE;
+ }
+ *timeout = (apr_interval_time_t) check;
return APR_SUCCESS;
}

11
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd
Summary: Apache HTTP Server
Version: 2.4.48
Release: 3
Release: 4
License: ASL 2.0
URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -77,6 +77,8 @@ Patch24: backport-003-CVE-2021-40438.patch
Patch25: backport-004-CVE-2021-40438.patch
Patch26: backport-001-CVE-2021-39275.patch
Patch27: backport-002-CVE-2021-39275.patch
Patch28: backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
Patch29: backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -509,6 +511,13 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Nov 05 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-4
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:fix int overflow in ap_timeout_parameter_parse
Improve fix to please a fuzzer int overflow
* Wed Sep 29 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-3
- Type:cves
- ID:CVE-2021-40438 CVE-2021-39275