1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Description: Initialize the request fields on read failure to avoid NULLs
Origin: upstream, https://github.com/apache/httpd/commit/74c097f0,
https://github.com/apache/httpd/commit/6945bb2
Bug: https://security-tracker.debian.org/tracker/CVE-2021-34798
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2021-09-21
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -643,6 +643,8 @@
return end - field;
}
+static const char m_invalid_str[] = "-";
+
static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
{
enum {
@@ -685,6 +687,11 @@
if (rv != APR_SUCCESS) {
r->request_time = apr_time_now();
+ /* Fall through with an invalid (non NULL) request */
+ r->method = m_invalid_str;
+ r->method_number = M_INVALID;
+ r->uri = r->unparsed_uri = apr_pstrdup(r->pool, "-");
+
/* ap_rgetline returns APR_ENOSPC if it fills up the
* buffer before finding the end-of-line. This is only going to
* happen if it exceeds the configured limit for a request-line.
@@ -1330,7 +1337,7 @@
"request failed: client's request-line exceeds LimitRequestLine (longer than %d)",
r->server->limit_req_line);
}
- else if (r->method == NULL) {
+ else if (r->method == m_invalid_str) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00566)
"request failed: malformed request line");
}
|
