- Fix memory consumption DoS, CVE CAN-2004-0942

Reported by:    josef
Obtained from:  Apache CVS

4 files changed, 210 insertions, 2 deletions

diff --git a/www/apache2/Makefile b/www/apache2/Makefile
index 00d3a2af9c1b..6524b7561da5 100644
--- a/www/apache2/Makefile
+++ b/www/apache2/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.52
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
diff --git a/www/apache2/files/patch-secfix-CAN-2004-0942 b/www/apache2/files/patch-secfix-CAN-2004-0942
new file mode 100644
index 000000000000..2f67f7c4013d
--- /dev/null
+++ b/www/apache2/files/patch-secfix-CAN-2004-0942
@@ -0,0 +1,104 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/server/protocol.c,v
+retrieving revision 1.121.2.21
+retrieving revision 1.121.2.22
+diff -u -r1.121.2.21 -r1.121.2.22
+--- server/protocol.c	2004/09/23 18:18:36	1.121.2.21
++++ server/protocol.c	2004/11/10 11:32:40	1.121.2.22
+@@ -305,35 +305,13 @@
+         }
+     }
+ 
+-    /* We now go backwards over any CR (if present) or white spaces.
+-     *
+-     * Trim any extra trailing spaces or tabs except for the first
+-     * space or tab at the beginning of a blank string.  This makes
+-     * it much easier to check field values for exact matches, and
+-     * saves memory as well.  Terminate string at end of line.
+-     */
+-    pos = last_char;
+-    if (pos > *s && *(pos - 1) == APR_ASCII_CR) {
+-        --pos;
+-    }
+-
+-    /* Trim any extra trailing spaces or tabs except for the first
+-     * space or tab at the beginning of a blank string.  This makes
+-     * it much easier to check field values for exact matches, and
+-     * saves memory as well.
+-     */
+-    while (pos > ((*s) + 1)
+-           && (*(pos - 1) == APR_ASCII_BLANK || *(pos - 1) == APR_ASCII_TAB)) {
+-        --pos;
++    /* Now NUL-terminate the string at the end of the line; 
++     * if the last-but-one character is a CR, terminate there */
++    if (last_char > *s && last_char[-1] == APR_ASCII_CR) {
++        last_char--;
+     }
+-
+-    /* Since we want to remove the LF from the line, we'll go ahead
+-     * and set this last character to be the term NULL and reset
+-     * bytes_handled accordingly.
+-     */
+-    *pos = '\0';
+-    last_char = pos;
+-    bytes_handled = pos - *s;
++    *last_char = '\0';
++    bytes_handled = last_char - *s;
+ 
+     /* If we're folding, we have more work to do.
+      *
+@@ -750,7 +728,7 @@
+                 last_len += len;
+                 folded = 1;
+             }
+-            else {
++            else /* not a continuation line */ {
+ 
+                 if (r->server->limit_req_fields
+                     && (++fields_read > r->server->limit_req_fields)) {
+@@ -773,29 +751,26 @@
+                                                "</pre>\n", NULL));
+                     return;
+                 }
++                
++                tmp_field = value - 1; /* last character of field-name */
++
++                *value++ = '\0'; /* NUL-terminate at colon */
+ 
+-                *value = '\0';
+-                tmp_field = value;  /* used to trim the whitespace between key
+-                                     * token and separator
+-                                     */
+-                ++value;
+                 while (*value == ' ' || *value == '\t') {
+                     ++value;            /* Skip to start of value   */
+                 }
+ 
+-                /* This check is to avoid any invalid memory reference while
+-                 * traversing backwards in the key. To avoid a case where
+-                 * the header starts with ':' (or with just some white
+-                 * space and the ':') followed by the value
+-                 */
+-                if (tmp_field > last_field) {
+-                    --tmp_field;
+-                    while ((tmp_field > last_field) &&
+-                           (*tmp_field == ' ' || *tmp_field == '\t')) {
+-                        --tmp_field;   /* Removing LWS between key and ':' */
+-                    }
+-                    ++tmp_field;
+-                    *tmp_field = '\0';
++                /* Strip LWS after field-name: */
++                while (tmp_field > last_field 
++                       && (*tmp_field == ' ' || *tmp_field == '\t')) {
++                    *tmp_field-- = '\0';
++                }
++                
++                /* Strip LWS after field-value: */
++                tmp_field = last_field + last_len - 1;
++                while (tmp_field > value
++                       && (*tmp_field == ' ' || *tmp_field == '\t')) {
++                    *tmp_field-- = '\0';
+                 }
+ 
+                 apr_table_addn(r->headers_in, last_field, value);
+
diff --git a/www/apache20/Makefile b/www/apache20/Makefile
index 00d3a2af9c1b..6524b7561da5 100644
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.52
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
diff --git a/www/apache20/files/patch-secfix-CAN-2004-0942 b/www/apache20/files/patch-secfix-CAN-2004-0942
new file mode 100644
index 000000000000..2f67f7c4013d
--- /dev/null
+++ b/www/apache20/files/patch-secfix-CAN-2004-0942
@@ -0,0 +1,104 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/server/protocol.c,v
+retrieving revision 1.121.2.21
+retrieving revision 1.121.2.22
+diff -u -r1.121.2.21 -r1.121.2.22
+--- server/protocol.c	2004/09/23 18:18:36	1.121.2.21
++++ server/protocol.c	2004/11/10 11:32:40	1.121.2.22
+@@ -305,35 +305,13 @@
+         }
+     }
+ 
+-    /* We now go backwards over any CR (if present) or white spaces.
+-     *
+-     * Trim any extra trailing spaces or tabs except for the first
+-     * space or tab at the beginning of a blank string.  This makes
+-     * it much easier to check field values for exact matches, and
+-     * saves memory as well.  Terminate string at end of line.
+-     */
+-    pos = last_char;
+-    if (pos > *s && *(pos - 1) == APR_ASCII_CR) {
+-        --pos;
+-    }
+-
+-    /* Trim any extra trailing spaces or tabs except for the first
+-     * space or tab at the beginning of a blank string.  This makes
+-     * it much easier to check field values for exact matches, and
+-     * saves memory as well.
+-     */
+-    while (pos > ((*s) + 1)
+-           && (*(pos - 1) == APR_ASCII_BLANK || *(pos - 1) == APR_ASCII_TAB)) {
+-        --pos;
++    /* Now NUL-terminate the string at the end of the line; 
++     * if the last-but-one character is a CR, terminate there */
++    if (last_char > *s && last_char[-1] == APR_ASCII_CR) {
++        last_char--;
+     }
+-
+-    /* Since we want to remove the LF from the line, we'll go ahead
+-     * and set this last character to be the term NULL and reset
+-     * bytes_handled accordingly.
+-     */
+-    *pos = '\0';
+-    last_char = pos;
+-    bytes_handled = pos - *s;
++    *last_char = '\0';
++    bytes_handled = last_char - *s;
+ 
+     /* If we're folding, we have more work to do.
+      *
+@@ -750,7 +728,7 @@
+                 last_len += len;
+                 folded = 1;
+             }
+-            else {
++            else /* not a continuation line */ {
+ 
+                 if (r->server->limit_req_fields
+                     && (++fields_read > r->server->limit_req_fields)) {
+@@ -773,29 +751,26 @@
+                                                "</pre>\n", NULL));
+                     return;
+                 }
++                
++                tmp_field = value - 1; /* last character of field-name */
++
++                *value++ = '\0'; /* NUL-terminate at colon */
+ 
+-                *value = '\0';
+-                tmp_field = value;  /* used to trim the whitespace between key
+-                                     * token and separator
+-                                     */
+-                ++value;
+                 while (*value == ' ' || *value == '\t') {
+                     ++value;            /* Skip to start of value   */
+                 }
+ 
+-                /* This check is to avoid any invalid memory reference while
+-                 * traversing backwards in the key. To avoid a case where
+-                 * the header starts with ':' (or with just some white
+-                 * space and the ':') followed by the value
+-                 */
+-                if (tmp_field > last_field) {
+-                    --tmp_field;
+-                    while ((tmp_field > last_field) &&
+-                           (*tmp_field == ' ' || *tmp_field == '\t')) {
+-                        --tmp_field;   /* Removing LWS between key and ':' */
+-                    }
+-                    ++tmp_field;
+-                    *tmp_field = '\0';
++                /* Strip LWS after field-name: */
++                while (tmp_field > last_field 
++                       && (*tmp_field == ' ' || *tmp_field == '\t')) {
++                    *tmp_field-- = '\0';
++                }
++                
++                /* Strip LWS after field-value: */
++                tmp_field = last_field + last_len - 1;
++                while (tmp_field > value
++                       && (*tmp_field == ' ' || *tmp_field == '\t')) {
++                    *tmp_field-- = '\0';
+                 }
+ 
+                 apr_table_addn(r->headers_in, last_field, value);
+