summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-22719.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
commit1221c736f9a90756d47ea6d28320b6b83602dd2a (patch)
treeb453ba7b1393205258c9b098a773b4330984672f /debian/patches/CVE-2022-22719.patch
parentAdding upstream version 2.4.38. (diff)
downloadapache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.tar.xz
apache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.zip
Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/CVE-2022-22719.patch')
-rw-r--r--debian/patches/CVE-2022-22719.patch95
1 files changed, 95 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-22719.patch b/debian/patches/CVE-2022-22719.patch
new file mode 100644
index 0000000..c52ceef
--- /dev/null
+++ b/debian/patches/CVE-2022-22719.patch
@@ -0,0 +1,95 @@
+From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 7 Mar 2022 14:51:19 +0000
+Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body()
+ fail.
+
+Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for
+the user.
+
+
+Merge r1898689 from trunk.
+Submitted by: rpluem
+Reviewed by: rpluem, covener, ylavic
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/lua/lua_request.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index 493b2bb431..1eab7b6a47 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
+ {
+ int rc = OK;
+
++ *rbuf = NULL;
++ *size = 0;
++
+ if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) {
+ return (rc);
+ }
+ if (ap_should_client_block(r)) {
+
+ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+- char argsbuffer[HUGE_STRING_LEN];
+- apr_off_t rsize, len_read, rpos = 0;
++ apr_off_t len_read, rpos = 0;
+ apr_off_t length = r->remaining;
+ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+
+@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
+ return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
+ }
+ *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
+- *size = length;
+- while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) {
+- if ((rpos + len_read) > length) {
+- rsize = length - rpos;
+- }
+- else {
+- rsize = len_read;
+- }
+-
+- memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize);
+- rpos += rsize;
++ while ((rpos < length)
++ && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos,
++ length - rpos)) > 0) {
++ rpos += len_read;
++ }
++ if (len_read < 0) {
++ return APR_EINCOMPLETE;
+ }
++ *size = rpos;
++ }
++ else {
++ rc = DONE;
+ }
+
+ return (rc);
+@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
+ {
+ apr_status_t rc = OK;
+
++ *size = 0;
++
+ if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
+ return rc;
+ if (ap_should_client_block(r)) {
+@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
+ rpos += rsize;
+ }
+ }
++ else {
++ rc = DONE;
++ }
+
+ return rc;
+ }
+--
+2.30.2
+