File apache2-CVE-2022-22721.patch of Package apache2.28223

Overview Repositories Revisions Requests Users Attributes Meta

File apache2-CVE-2022-22721.patch of Package apache2.28223

Index: httpd-2.4.33/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ httpd-2.4.33/changes-entries/AP_MAX_LIMIT_XML_BODY.diff	2022-03-17 11:49:36.414800265 +0100
@@ -0,0 +1,2 @@
+  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+     [Ruediger Pluem, Yann Ylavic]
\ No newline at end of file
Index: httpd-2.4.33/server/core.c
===================================================================
--- httpd-2.4.33.orig/server/core.c	2022-03-17 11:49:36.174798921 +0100
+++ httpd-2.4.33/server/core.c	2022-03-17 11:49:36.418800288 +0100
@@ -66,6 +66,8 @@
 /* LimitXMLRequestBody handling */
 #define AP_LIMIT_UNSET                  ((long) -1)
 #define AP_DEFAULT_LIMIT_XML_BODY       ((apr_size_t)1000000)
+/* Hard limit for ap_escape_html2() */
+#define AP_MAX_LIMIT_XML_BODY           ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
 
 #define AP_MIN_SENDFILE_BYTES           (256)
 
@@ -3652,6 +3654,11 @@ static const char *set_limit_xml_req_bod
     if (conf->limit_xml_body < 0)
         return "LimitXMLRequestBody requires a non-negative integer.";
 
+    /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
+    if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
+        return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
+                            "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
+
     return NULL;
 }
 
@@ -3740,6 +3747,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_
     conf = ap_get_core_module_config(r->per_dir_config);
     if (conf->limit_xml_body == AP_LIMIT_UNSET)
         return AP_DEFAULT_LIMIT_XML_BODY;
+    if (conf->limit_xml_body == 0)
+        return AP_MAX_LIMIT_XML_BODY;
 
     return (apr_size_t)conf->limit_xml_body;
 }
Index: httpd-2.4.33/server/util.c
===================================================================
--- httpd-2.4.33.orig/server/util.c	2022-03-17 11:49:36.330799795 +0100
+++ httpd-2.4.33/server/util.c	2022-03-17 11:49:36.418800288 +0100
@@ -2037,11 +2037,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(
 
 AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
 {
-    int i, j;
+    apr_size_t i, j;
     char *x;
 
     /* first, count the number of extra characters */
-    for (i = 0, j = 0; s[i] != '\0'; i++)
+    for (i = 0, j = 0; s[i] != '\0'; i++) {
+        if (i + j > APR_SIZE_MAX - 6) {
+            abort();
+        }
         if (s[i] == '<' || s[i] == '>')
             j += 3;
         else if (s[i] == '&')
@@ -2050,6 +2053,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_p
             j += 5;
         else if (toasc && !apr_isascii(s[i]))
             j += 5;
+    }
 
     if (j == 0)
         return apr_pstrmemdup(p, s, i);
Index: httpd-2.4.33/server/util_xml.c
===================================================================
--- httpd-2.4.33.orig/server/util_xml.c	2015-05-29 22:07:15.000000000 +0200
+++ httpd-2.4.33/server/util_xml.c	2022-03-17 11:49:36.418800288 +0100
@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(reque
             }
 
             total_read += len;
-            if (limit_xml_body && total_read > limit_xml_body) {
+            if (total_read > limit_xml_body) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
                               "XML request body is larger than the configured "
                               "limit of %lu", (unsigned long)limit_xml_body);

Places

File apache2-CVE-2022-22721.patch of Package apache2.28223

Places