Commit ad581ced authored Jun 19, 2017 by Eric Covener

Merge r1796350 from trunk:

short-circuit on NULL

Submitted By: jchampion
Reviewed By: jchampion, wrowe, ylavic



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799228 13f79535-47bb-0310-9956-ffa450edef68

parent 7ca24c82

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.2.33

		*) SECURITY: CVE-2017-7668 (cve.mitre.org)
		The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
		bug in token list parsing, which allows ap_find_token() to search past
		the end of its input string. By maliciously crafting a sequence of
		request headers, an attacker may be able to cause a segmentation fault,
		or to force ap_find_token() to return an incorrect value.

		*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
		[Joe Orton]

STATUS

+0 −5

Original line number	Diff line number	Diff line
		@@ -104,11 +104,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) core: Terminate token processing on NULL.
		trunk patch: https://svn.apache.org/r1796350
		2.2.x patch: svn merge -c 1796350 ^/httpd/httpd/trunk .
		+1: jchampion, wrowe, ylavic

		*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
		to ssl_io_filter_error(). [Yann Ylavic]
		trunk patch: https://svn.apache.org/r1796343

server/util.c

+2 −4

Original line number	Diff line number	Diff line
		@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t p, const char line, const char *tok)

		s = (const unsigned char *)line;
		for (;;) {
		/* find start of token, skip all stop characters, note NUL
		* isn't a token stop, so we don't need to test for it
		*/
		while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
		/* find start of token, skip all stop characters */
		while (s && TEST_CHAR(s, T_HTTP_TOKEN_STOP)) {
		++s;
		}
		if (!*s) {