packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
httpd/CVE-2019-9517_CVE-2019-10081_CVE-2019-10082-3.patch

307 lines
13 KiB
Diff
Raw Blame History

From 1125fc2240353c41db09eac8fedcc75dfdf44edb Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Wed, 19 Sep 2018 12:55:26 +0000
Subject: [PATCH 3/5] Merge r1835118 from trunk:
On the trunk:
* silencing gcc uninitialized warning
* refrainning from apr_table_addn() use since pool debug assumptions are in conflict
* adding more assertions
* copy-porting changes to base64 encoding code from mod_md
Submitted by: icing
Reviewed by: icing, minfrin, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841330 13f79535-47bb-0310-9956-ffa450edef68
---
modules/http2/h2_bucket_beam.c | 2 +-
modules/http2/h2_from_h1.c | 4 +-
modules/http2/h2_h2.c | 2 +-
modules/http2/h2_headers.c | 7 ++--
modules/http2/h2_mplx.c | 4 ++
modules/http2/h2_proxy_session.c | 4 +-
modules/http2/h2_util.c | 86 +++++++++++++++++++++-------------------
7 files changed, 58 insertions(+), 51 deletions(-)
diff --git a/modules/http2/h2_bucket_beam.c b/modules/http2/h2_bucket_beam.c
index 9f6fa82..f79cbe3 100644
--- a/modules/http2/h2_bucket_beam.c
+++ b/modules/http2/h2_bucket_beam.c
@@ -775,7 +775,7 @@ static apr_status_t append_bucket(h2_bucket_beam *beam,
const char *data;
apr_size_t len;
apr_status_t status;
- int can_beam, check_len;
+ int can_beam = 0, check_len;
if (beam->aborted) {
return APR_ECONNABORTED;
diff --git a/modules/http2/h2_from_h1.c b/modules/http2/h2_from_h1.c
index ae264a9..dd6ad90 100644
--- a/modules/http2/h2_from_h1.c
+++ b/modules/http2/h2_from_h1.c
@@ -164,7 +164,7 @@ static int copy_header(void *ctx, const char *name, const char *value)
{
apr_table_t *headers = ctx;
- apr_table_addn(headers, name, value);
+ apr_table_add(headers, name, value);
return 1;
}
@@ -250,7 +250,7 @@ static h2_headers *create_response(h2_task *task, request_rec *r)
if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
ap_recent_rfc822_date(date, r->request_time);
- apr_table_addn(r->headers_out, "Expires", date);
+ apr_table_add(r->headers_out, "Expires", date);
}
/* This is a hack, but I can't find anyway around it. The idea is that
diff --git a/modules/http2/h2_h2.c b/modules/http2/h2_h2.c
index dfee6b5..5580cef 100644
--- a/modules/http2/h2_h2.c
+++ b/modules/http2/h2_h2.c
@@ -694,7 +694,7 @@ static void check_push(request_rec *r, const char *tag)
tag, conf->push_list->nelts);
for (i = 0; i < conf->push_list->nelts; ++i) {
h2_push_res *push = &APR_ARRAY_IDX(conf->push_list, i, h2_push_res);
- apr_table_addn(r->headers_out, "Link",
+ apr_table_add(r->headers_out, "Link",
apr_psprintf(r->pool, "<%s>; rel=preload%s",
push->uri_ref, push->critical? "; critical" : ""));
}
diff --git a/modules/http2/h2_headers.c b/modules/http2/h2_headers.c
index 2be9545..49d9c0a 100644
--- a/modules/http2/h2_headers.c
+++ b/modules/http2/h2_headers.c
@@ -117,9 +117,9 @@ h2_headers *h2_headers_create(int status, apr_table_t *headers_in,
{
h2_headers *headers = apr_pcalloc(pool, sizeof(h2_headers));
headers->status = status;
- headers->headers = (headers_in? apr_table_copy(pool, headers_in)
+ headers->headers = (headers_in? apr_table_clone(pool, headers_in)
: apr_table_make(pool, 5));
- headers->notes = (notes? apr_table_copy(pool, notes)
+ headers->notes = (notes? apr_table_clone(pool, notes)
: apr_table_make(pool, 5));
return headers;
}
@@ -150,8 +150,7 @@ h2_headers *h2_headers_rcreate(request_rec *r, int status,
h2_headers *h2_headers_copy(apr_pool_t *pool, h2_headers *h)
{
- return h2_headers_create(h->status, apr_table_copy(pool, h->headers),
- apr_table_copy(pool, h->notes), h->raw_bytes, pool);
+ return h2_headers_create(h->status, h->headers, h->notes, h->raw_bytes, pool);
}
h2_headers *h2_headers_clone(apr_pool_t *pool, h2_headers *h)
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index 29f040c..db3cb63 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -476,6 +476,7 @@ void h2_mplx_release_and_join(h2_mplx *m, apr_thread_cond_t *wait)
h2_ihash_iter(m->shold, report_stream_iter, m);
}
}
+ ap_assert(m->tasks_active == 0);
m->join_wait = NULL;
/* 4. close the h2_req_enginge shed */
@@ -765,6 +766,9 @@ apr_status_t h2_mplx_pop_task(h2_mplx *m, h2_task **ptask)
apr_status_t rv = APR_EOF;
*ptask = NULL;
+ ap_assert(m);
+ ap_assert(m->lock);
+
if (APR_SUCCESS != (rv = apr_thread_mutex_lock(m->lock))) {
return rv;
}
diff --git a/modules/http2/h2_proxy_session.c b/modules/http2/h2_proxy_session.c
index a077ce1..8389c7c 100644
--- a/modules/http2/h2_proxy_session.c
+++ b/modules/http2/h2_proxy_session.c
@@ -237,7 +237,7 @@ static int before_frame_send(nghttp2_session *ngh2,
static int add_header(void *table, const char *n, const char *v)
{
- apr_table_addn(table, n, v);
+ apr_table_add(table, n, v);
return 1;
}
@@ -361,7 +361,7 @@ static void h2_proxy_stream_end_headers_out(h2_proxy_stream *stream)
}
/* create a "Via:" response header entry and merge it */
- apr_table_addn(r->headers_out, "Via",
+ apr_table_add(r->headers_out, "Via",
(session->conf->viaopt == via_full)
? apr_psprintf(p, "%d.%d %s%s (%s)",
HTTP_VERSION_MAJOR(r->proto_num),
diff --git a/modules/http2/h2_util.c b/modules/http2/h2_util.c
index 3d7ba37..9dacd8b 100644
--- a/modules/http2/h2_util.c
+++ b/modules/http2/h2_util.c
@@ -115,26 +115,28 @@ void h2_util_camel_case_header(char *s, size_t len)
/* base64 url encoding ****************************************************************************/
-static const int BASE64URL_UINT6[] = {
+#define N6 (unsigned int)-1
+
+static const unsigned int BASE64URL_UINT6[] = {
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0 */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 1 */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, /* 2 */
- 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 3 */
- -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 4 */
- 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, /* 5 */
- -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 6 */
- 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 7 */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 8 */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 9 */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* a */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* b */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* c */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* d */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* e */
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 /* f */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* 0 */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* 1 */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, 62, N6, N6, /* 2 */
+ 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, N6, N6, N6, N6, N6, N6, /* 3 */
+ N6, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 4 */
+ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, N6, N6, N6, N6, 63, /* 5 */
+ N6, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 6 */
+ 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, N6, N6, N6, N6, N6, /* 7 */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* 8 */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* 9 */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* a */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* b */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* c */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* d */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, /* e */
+ N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6, N6 /* f */
};
-static const char BASE64URL_CHARS[] = {
+static const unsigned char BASE64URL_CHARS[] = {
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', /* 0 - 9 */
'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', /* 10 - 19 */
'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', /* 20 - 29 */
@@ -144,21 +146,23 @@ static const char BASE64URL_CHARS[] = {
'8', '9', '-', '_', ' ', ' ', ' ', ' ', ' ', ' ', /* 60 - 69 */
};
+#define BASE64URL_CHAR(x) BASE64URL_CHARS[ (unsigned int)(x) & 0x3fu ]
+
apr_size_t h2_util_base64url_decode(const char **decoded, const char *encoded,
apr_pool_t *pool)
{
const unsigned char *e = (const unsigned char *)encoded;
const unsigned char *p = e;
unsigned char *d;
- int n;
- apr_size_t len, mlen, remain, i;
+ unsigned int n;
+ long len, mlen, remain, i;
- while (*p && BASE64URL_UINT6[ *p ] != -1) {
+ while (*p && BASE64URL_UINT6[ *p ] != N6) {
++p;
}
- len = p - e;
+ len = (int)(p - e);
mlen = (len/4)*4;
- *decoded = apr_pcalloc(pool, len+1);
+ *decoded = apr_pcalloc(pool, (apr_size_t)len + 1);
i = 0;
d = (unsigned char*)*decoded;
@@ -167,60 +171,60 @@ apr_size_t h2_util_base64url_decode(const char **decoded, const char *encoded,
(BASE64URL_UINT6[ e[i+1] ] << 12) +
(BASE64URL_UINT6[ e[i+2] ] << 6) +
(BASE64URL_UINT6[ e[i+3] ]));
- *d++ = n >> 16;
- *d++ = n >> 8 & 0xffu;
- *d++ = n & 0xffu;
+ *d++ = (unsigned char)(n >> 16);
+ *d++ = (unsigned char)(n >> 8 & 0xffu);
+ *d++ = (unsigned char)(n & 0xffu);
}
remain = len - mlen;
switch (remain) {
case 2:
n = ((BASE64URL_UINT6[ e[mlen+0] ] << 18) +
(BASE64URL_UINT6[ e[mlen+1] ] << 12));
- *d++ = n >> 16;
+ *d++ = (unsigned char)(n >> 16);
remain = 1;
break;
case 3:
n = ((BASE64URL_UINT6[ e[mlen+0] ] << 18) +
(BASE64URL_UINT6[ e[mlen+1] ] << 12) +
(BASE64URL_UINT6[ e[mlen+2] ] << 6));
- *d++ = n >> 16;
- *d++ = n >> 8 & 0xffu;
+ *d++ = (unsigned char)(n >> 16);
+ *d++ = (unsigned char)(n >> 8 & 0xffu);
remain = 2;
break;
default: /* do nothing */
break;
}
- return mlen/4*3 + remain;
+ return (apr_size_t)(mlen/4*3 + remain);
}
const char *h2_util_base64url_encode(const char *data,
apr_size_t dlen, apr_pool_t *pool)
{
- long i, len = (int)dlen;
+ int i, len = (int)dlen;
apr_size_t slen = ((dlen+2)/3)*4 + 1; /* 0 terminated */
const unsigned char *udata = (const unsigned char*)data;
- char *enc, *p = apr_pcalloc(pool, slen);
+ unsigned char *enc, *p = apr_pcalloc(pool, slen);
enc = p;
for (i = 0; i < len-2; i+= 3) {
- *p++ = BASE64URL_CHARS[ (udata[i] >> 2) & 0x3fu ];
- *p++ = BASE64URL_CHARS[ ((udata[i] << 4) + (udata[i+1] >> 4)) & 0x3fu ];
- *p++ = BASE64URL_CHARS[ ((udata[i+1] << 2) + (udata[i+2] >> 6)) & 0x3fu ];
- *p++ = BASE64URL_CHARS[ udata[i+2] & 0x3fu ];
+ *p++ = BASE64URL_CHAR( (udata[i] >> 2) );
+ *p++ = BASE64URL_CHAR( (udata[i] << 4) + (udata[i+1] >> 4) );
+ *p++ = BASE64URL_CHAR( (udata[i+1] << 2) + (udata[i+2] >> 6) );
+ *p++ = BASE64URL_CHAR( (udata[i+2]) );
}
if (i < len) {
- *p++ = BASE64URL_CHARS[ (udata[i] >> 2) & 0x3fu ];
+ *p++ = BASE64URL_CHAR( (udata[i] >> 2) );
if (i == (len - 1)) {
- *p++ = BASE64URL_CHARS[ (udata[i] << 4) & 0x3fu ];
+ *p++ = BASE64URL_CHARS[ ((unsigned int)udata[i] << 4) & 0x3fu ];
}
else {
- *p++ = BASE64URL_CHARS[ ((udata[i] << 4) + (udata[i+1] >> 4)) & 0x3fu ];
- *p++ = BASE64URL_CHARS[ (udata[i+1] << 2) & 0x3fu ];
+ *p++ = BASE64URL_CHAR( (udata[i] << 4) + (udata[i+1] >> 4) );
+ *p++ = BASE64URL_CHAR( (udata[i+1] << 2) );
}
}
*p++ = '\0';
- return enc;
+ return (char *)enc;
}
/*******************************************************************************
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink