summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-30522.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/CVE-2022-30522.patch561
1 files changed, 561 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-30522.patch b/debian/patches/CVE-2022-30522.patch
new file mode 100644
index 0000000..5ad124e
--- /dev/null
+++ b/debian/patches/CVE-2022-30522.patch
@@ -0,0 +1,561 @@
+From db47781128e42bd49f55076665b3f6ca4e2bc5e2 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:50:40 +0000
+Subject: [PATCH] Merge r1901506 from trunk:
+
+limit mod_sed memory use
+
+Resync mod_sed.c with trunk due to merge conflicts.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901509 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/db47781128e42bd49f55076665b3f6ca4e2bc5e2
+---
+ modules/filters/mod_sed.c | 75 ++++++++----------
+ modules/filters/sed1.c | 158 +++++++++++++++++++++++++++-----------
+ 2 files changed, 147 insertions(+), 86 deletions(-)
+
+diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
+index 4bdb4ce33a..12cb04a20f 100644
+--- a/modules/filters/mod_sed.c
++++ b/modules/filters/mod_sed.c
+@@ -59,7 +59,7 @@ typedef struct sed_filter_ctxt
+ module AP_MODULE_DECLARE_DATA sed_module;
+
+ /* This function will be call back from libsed functions if there is any error
+- * happend during execution of sed scripts
++ * happened during execution of sed scripts
+ */
+ static apr_status_t log_sed_errf(void *data, const char *error)
+ {
+@@ -277,7 +277,7 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ apr_bucket_brigade *bb)
+ {
+ apr_bucket *b;
+- apr_status_t status;
++ apr_status_t status = APR_SUCCESS;
+ sed_config *cfg = ap_get_module_config(f->r->per_dir_config,
+ &sed_module);
+ sed_filter_ctxt *ctx = f->ctx;
+@@ -302,9 +302,9 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ return status;
+ ctx = f->ctx;
+ apr_table_unset(f->r->headers_out, "Content-Length");
+- }
+
+- ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
++ ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
++ }
+
+ /* Here is the main logic. Iterate through all the buckets, read the
+ * content of the bucket, call sed_eval_buffer on the data.
+@@ -326,63 +326,52 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ * in sed's internal buffer which can't be flushed until new line
+ * character is arrived.
+ */
+- for (b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb);) {
+- const char *buf = NULL;
+- apr_size_t bytes = 0;
++ while (!APR_BRIGADE_EMPTY(bb)) {
++ b = APR_BRIGADE_FIRST(bb);
+ if (APR_BUCKET_IS_EOS(b)) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+ /* Now clean up the internal sed buffer */
+ sed_finalize_eval(&ctx->eval, ctx);
+ status = flush_output_buffer(ctx);
+ if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ break;
+ }
++ /* Move the eos bucket to ctx->bb brigade */
+ APR_BUCKET_REMOVE(b);
+- /* Insert the eos bucket to ctx->bb brigade */
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
+- b = b1;
+ }
+ else if (APR_BUCKET_IS_FLUSH(b)) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- APR_BUCKET_REMOVE(b);
+ status = flush_output_buffer(ctx);
+ if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ break;
+ }
++ /* Move the flush bucket to ctx->bb brigade */
++ APR_BUCKET_REMOVE(b);
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
+- b = b1;
+- }
+- else if (APR_BUCKET_IS_METADATA(b)) {
+- b = APR_BUCKET_NEXT(b);
+ }
+- else if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
+- == APR_SUCCESS) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
+- if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ else {
++ if (!APR_BUCKET_IS_METADATA(b)) {
++ const char *buf = NULL;
++ apr_size_t bytes = 0;
++
++ status = apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ);
++ if (status == APR_SUCCESS) {
++ status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
++ }
++ if (status != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10394) "error evaluating sed on output");
++ break;
++ }
+ }
+- APR_BUCKET_REMOVE(b);
+ apr_bucket_delete(b);
+- b = b1;
+- }
+- else {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- APR_BUCKET_REMOVE(b);
+- b = b1;
+ }
+ }
+- apr_brigade_cleanup(bb);
+- status = flush_output_buffer(ctx);
+- if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ if (status == APR_SUCCESS) {
++ status = flush_output_buffer(ctx);
+ }
+ if (!APR_BRIGADE_EMPTY(ctx->bb)) {
+- status = ap_pass_brigade(f->next, ctx->bb);
++ if (status == APR_SUCCESS) {
++ status = ap_pass_brigade(f->next, ctx->bb);
++ }
+ apr_brigade_cleanup(ctx->bb);
+ }
+ clear_ctxpool(ctx);
+@@ -433,7 +422,7 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
+ * the buckets in bbinp and read the data from buckets and invoke
+ * sed_eval_buffer on the data. libsed will generate its output using
+ * sed_write_output which will add data in ctx->bb. Do it until it have
+- * atleast one bucket in ctx->bb. At the end of data eos bucket
++ * at least one bucket in ctx->bb. At the end of data eos bucket
+ * should be there.
+ *
+ * Once eos bucket is seen, then invoke sed_finalize_eval to clear the
+@@ -475,8 +464,10 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
+ if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
+ == APR_SUCCESS) {
+ status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
+- if (status != APR_SUCCESS)
++ if (status != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10395) "error evaluating sed on input");
+ return status;
++ }
+ flush_output_buffer(ctx);
+ }
+ }
+diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
+index 67a8d06515..047f49ba13 100644
+--- a/modules/filters/sed1.c
++++ b/modules/filters/sed1.c
+@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
+ }
+
+ #define INIT_BUF_SIZE 1024
++#define MAX_BUF_SIZE 1024*8192
+
+ /*
+ * grow_buffer
+ */
+-static void grow_buffer(apr_pool_t *pool, char **buffer,
++static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer,
+ char **spend, apr_size_t *cursize,
+ apr_size_t newsize)
+ {
+ char* newbuffer = NULL;
+ apr_size_t spendsize = 0;
+- if (*cursize >= newsize)
+- return;
++ if (*cursize >= newsize) {
++ return APR_SUCCESS;
++ }
+ /* Avoid number of times realloc is called. It could cause huge memory
+ * requirement if line size is huge e.g 2 MB */
+ if (newsize < *cursize * 2) {
+@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
+
+ /* Align it to 4 KB boundary */
+ newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1);
++ if (newsize > MAX_BUF_SIZE) {
++ return APR_ENOMEM;
++ }
+ newbuffer = apr_pcalloc(pool, newsize);
+ if (*spend && *buffer && (*cursize > 0)) {
+ spendsize = *spend - *buffer;
+@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
+ if (spend != buffer) {
+ *spend = *buffer + spendsize;
+ }
++ return APR_SUCCESS;
+ }
+
+ /*
+ * grow_line_buffer
+ */
+-static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
++static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
++ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
+ &eval->lsize, newsize);
+ }
+
+ /*
+ * grow_hold_buffer
+ */
+-static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
++static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
++ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
+ &eval->hsize, newsize);
+ }
+
+ /*
+ * grow_gen_buffer
+ */
+-static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
++static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
+ char **gspend)
+ {
++ apr_status_t rc = 0;
+ if (gspend == NULL) {
+ gspend = &eval->genbuf;
+ }
+- grow_buffer(eval->pool, &eval->genbuf, gspend,
+- &eval->gsize, newsize);
+- eval->lcomend = &eval->genbuf[71];
++ rc = grow_buffer(eval->pool, &eval->genbuf, gspend,
++ &eval->gsize, newsize);
++ if (rc == APR_SUCCESS) {
++ eval->lcomend = &eval->genbuf[71];
++ }
++ return rc;
+ }
+
+ /*
+ * appendmem_to_linebuf
+ */
+-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
++static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
+ {
++ apr_status_t rc = 0;
+ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
+ if (eval->lsize < reqsize) {
+- grow_line_buffer(eval, reqsize);
++ rc = grow_line_buffer(eval, reqsize);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->lspend, sz, len);
+ eval->lspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * append_to_linebuf
+ */
+-static void append_to_linebuf(sed_eval_t *eval, const char* sz,
++static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
+ {
+ apr_size_t len = strlen(sz);
+ char *old_linebuf = eval->linebuf;
++ apr_status_t rc = 0;
+ /* Copy string including null character */
+- appendmem_to_linebuf(eval, sz, len + 1);
++ rc = appendmem_to_linebuf(eval, sz, len + 1);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ --eval->lspend; /* lspend will now point to NULL character */
+ /* Sync step_vars after a possible linebuf expansion */
+ if (step_vars && old_linebuf != eval->linebuf) {
+@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
+ }
+ }
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_linebuf
+ */
+-static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
++static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
+ {
+ eval->lspend = eval->linebuf;
+- append_to_linebuf(eval, sz, step_vars);
++ return append_to_linebuf(eval, sz, step_vars);
+ }
+
+ /*
+ * append_to_holdbuf
+ */
+-static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
++ apr_status_t rc = 0;
+ if (eval->hsize <= reqsize) {
+- grow_hold_buffer(eval, reqsize);
++ rc = grow_hold_buffer(eval, reqsize);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->hspend, sz, len + 1);
+ /* hspend will now point to NULL character */
+ eval->hspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_holdbuf
+ */
+-static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz)
+ {
+ eval->hspend = eval->holdbuf;
+- append_to_holdbuf(eval, sz);
++ return append_to_holdbuf(eval, sz);
+ }
+
+ /*
+ * append_to_genbuf
+ */
+-static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
++static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
++ apr_status_t rc = 0;
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, gspend);
++ rc = grow_gen_buffer(eval, reqsize, gspend);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(*gspend, sz, len + 1);
+ /* *gspend will now point to NULL character */
+ *gspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_genbuf
+ */
+-static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = len + 1;
++ apr_status_t rc = APR_SUCCESS;;
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, NULL);
++ rc = grow_gen_buffer(eval, reqsize, NULL);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->genbuf, sz, len + 1);
++ return rc;
+ }
+
+ /*
+@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+ }
+
+ while (bufsz) {
++ apr_status_t rc = 0;
+ char *n;
+ apr_size_t llen;
+
+@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+ break;
+ }
+
+- appendmem_to_linebuf(eval, buf, llen + 1);
++ rc = appendmem_to_linebuf(eval, buf, llen + 1);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ --eval->lspend;
+ /* replace new line character with NULL */
+ *eval->lspend = '\0';
+@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+
+ /* Save the leftovers for later */
+ if (bufsz) {
+- appendmem_to_linebuf(eval, buf, bufsz);
++ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+
+ return APR_SUCCESS;
+@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
+ /* Process leftovers */
+ if (eval->lspend > eval->linebuf) {
+ apr_status_t rv;
++ apr_status_t rc = 0;
+
+ if (eval->lreadyflag) {
+ eval->lreadyflag = 0;
+@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
+ * buffer is not a newline.
+ */
+ /* Assure space for NULL */
+- append_to_linebuf(eval, "", NULL);
++ rc = append_to_linebuf(eval, "", NULL);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+
+ *eval->lspend = '\0';
+@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ sp = eval->genbuf;
+ rp = rhsbuf;
+ sp = place(eval, sp, lp, step_vars->loc1);
++ if (sp == NULL) {
++ return APR_EGENERAL;
++ }
+ while ((c = *rp++) != 0) {
+ if (c == '&') {
+ sp = place(eval, sp, step_vars->loc1, step_vars->loc2);
+- if (sp == NULL)
++ if (sp == NULL) {
+ return APR_EGENERAL;
++ }
+ }
+ else if (c == '\\') {
+ c = *rp++;
+@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ *sp++ = c;
+ if (sp >= eval->genbuf + eval->gsize) {
+ /* expand genbuf and set the sp appropriately */
+- grow_gen_buffer(eval, eval->gsize + 1024, &sp);
++ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp);
++ if (rv != APR_SUCCESS) {
++ return rv;
++ }
+ }
+ }
+ lp = step_vars->loc2;
+ step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
+- append_to_genbuf(eval, lp, &sp);
+- copy_to_linebuf(eval, eval->genbuf, step_vars);
++ rv = append_to_genbuf(eval, lp, &sp);
++ if (rv != APR_SUCCESS) {
++ return rv;
++ }
++ rv = copy_to_linebuf(eval, eval->genbuf, step_vars);
+ return rv;
+ }
+
+@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
+ apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
+
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, &sp);
++ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp);
++ if (rc != APR_SUCCESS) {
++ return NULL;
++ }
+ }
+ memcpy(sp, al1, n);
+ return sp + n;
+@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ }
+
+ p1++;
+- copy_to_linebuf(eval, p1, step_vars);
++ rv = copy_to_linebuf(eval, p1, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ eval->jflag++;
+ break;
+
+@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ break;
+
+ case GCOM:
+- copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case CGCOM:
+- append_to_linebuf(eval, "\n", step_vars);
+- append_to_linebuf(eval, eval->holdbuf, step_vars);
++ rv = append_to_linebuf(eval, "\n", step_vars);
++ if (rv != APR_SUCCESS) return rv;
++ rv = append_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case HCOM:
+- copy_to_holdbuf(eval, eval->linebuf);
++ rv = copy_to_holdbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case CHCOM:
+- append_to_holdbuf(eval, "\n");
+- append_to_holdbuf(eval, eval->linebuf);
++ rv = append_to_holdbuf(eval, "\n");
++ if (rv != APR_SUCCESS) return rv;
++ rv = append_to_holdbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case ICOM:
+@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ if (rv != APR_SUCCESS)
+ return rv;
+ }
+- append_to_linebuf(eval, "\n", step_vars);
++ rv = append_to_linebuf(eval, "\n", step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ eval->pending = ipc->next;
+ break;
+
+@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ break;
+
+ case XCOM:
+- copy_to_genbuf(eval, eval->linebuf);
+- copy_to_linebuf(eval, eval->holdbuf, step_vars);
+- copy_to_holdbuf(eval, eval->genbuf);
++ rv = copy_to_genbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
++ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
++ rv = copy_to_holdbuf(eval, eval->genbuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case YCOM:
+--
+2.30.2
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 19:34:23 +0000