summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-28614.patch
blob: fdd8f6b59cb1cb0a7bba20a80b364e0e368c459e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 1 Jun 2022 12:34:16 +0000
Subject: [PATCH] Merge r1901500 from trunk:

handle large writes in ap_rputs


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901501 13f79535-47bb-0310-9956-ffa450edef68
Origin: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123
---
 include/http_protocol.h | 22 +++++++++++++++++++++-
 server/protocol.c       |  3 +++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/include/http_protocol.h b/include/http_protocol.h
index 20bd202226..94c481e5f4 100644
--- a/include/http_protocol.h
+++ b/include/http_protocol.h
@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
  */
 static APR_INLINE int ap_rputs(const char *str, request_rec *r)
 {
-    return ap_rwrite(str, (int)strlen(str), r);
+    apr_size_t len;
+
+    len = strlen(str);
+
+    for (;;) {
+        if (len <= INT_MAX) {
+            return ap_rwrite(str, (int)len, r);
+        }
+        else {
+            int rc;
+
+            rc = ap_rwrite(str, INT_MAX, r);
+            if (rc < 0) {
+                return rc;
+            }
+            else {
+                str += INT_MAX;
+                len -= INT_MAX;
+            }
+        }
+    }
 }
 
 /**
diff --git a/server/protocol.c b/server/protocol.c
index 298f61e1fb..7adc7f75c1 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
 
 AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
 {
+    if (nbyte < 0)
+        return -1;
+
     if (r->connection->aborted)
         return -1;
 
-- 
2.30.2