diff options
author | Jeff Trawick <trawick@apache.org> | 2010-10-01 11:41:44 +0000 |
---|---|---|
committer | Jeff Trawick <trawick@apache.org> | 2010-10-01 11:41:44 +0000 |
commit | b976167c40da485a41416fb0a41a1bc2f79baddc (patch) | |
tree | ebd654aae566eb6dbd4748507a4b86bc89fbc170 /buckets | |
parent | f97449ad2ddfc6256951df39a7e657d08d73ca6e (diff) | |
download | apr-b976167c40da485a41416fb0a41a1bc2f79baddc.tar.gz |
SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
Submitted by: sf
Reviewed by: trawick, jorton
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1003491 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'buckets')
-rw-r--r-- | buckets/apr_brigade.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/buckets/apr_brigade.c b/buckets/apr_brigade.c index 2b5893077..a075674e8 100644 --- a/buckets/apr_brigade.c +++ b/buckets/apr_brigade.c @@ -347,7 +347,18 @@ APR_DECLARE(apr_status_t) apr_brigade_split_line(apr_bucket_brigade *bbOut, return APR_SUCCESS; } APR_BUCKET_REMOVE(e); - APR_BRIGADE_INSERT_TAIL(bbOut, e); + if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) { + APR_BRIGADE_INSERT_TAIL(bbOut, e); + } + else { + if (len > 0) { + rv = apr_brigade_write(bbOut, NULL, NULL, str, len); + if (rv != APR_SUCCESS) { + return rv; + } + } + apr_bucket_destroy(e); + } readbytes += len; /* We didn't find an APR_ASCII_LF within the maximum line length. */ if (readbytes >= maxbytes) { |