Backports: r892678 (20e0d479) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -11,6 +11,9 @@ Changes with Apache 2.2.31
		*) core: Do not over allocate memory within 'ap_rgetline_core' for
		the common case. [Christophe Jaillet]

		*) Core: reject NULLs in request line or request headers.
		PR 43039 [Nick Kew]

		Changes with Apache 2.2.30 (not released)

		*) SECURITY: CVE-2015-3183 (cve.mitre.org)

+19 −4

Original line number	Diff line number	Diff line
		@@ -426,8 +426,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
		}
		}
		}

		*read = bytes_handled;

		/* PR#43039: We shouldn't accept NULL bytes within the line */
		if (strlen(*s) < bytes_handled) {
		return APR_EINVAL;
		}

		return APR_SUCCESS;
		}

		@@ -602,6 +607,9 @@ static int read_request_line(request_rec r, apr_bucket_brigade bb)
		else if (APR_STATUS_IS_TIMEUP(rv)) {
		r->status = HTTP_REQUEST_TIME_OUT;
		}
		else if (rv == APR_EINVAL) {
		r->status = HTTP_BAD_REQUEST;
		}
		r->proto_num = HTTP_VERSION(1,0);
		r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
		return 0;
		@@ -916,9 +924,16 @@ request_rec ap_read_request(conn_rec conn)

		/* Get the request... */
		if (!read_request_line(r, tmp_bb)) {
		if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
		if (r->status == HTTP_REQUEST_URI_TOO_LARGE
		\|\| r->status == HTTP_BAD_REQUEST) {
		if (r->status == HTTP_BAD_REQUEST) {
		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		"request failed: invalid characters in URI");
		}
		else {
		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		"request failed: URI too long (longer than %d)", r->server->limit_req_line);
		}
		ap_send_error_response(r, 0);
		ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
		ap_run_log_transaction(r);