SECURITY: CVE-2010-1623 (cve.mitre.org)

Fix a denial of service attack against apr_brigade_split_line(). Submitted by: sf Reviewed by: trawick, jorton git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1003491 13f79535-47bb-0310-9956-ffa450edef68
author: Jeff Trawick <trawick@apache.org> 2010-10-01 11:41:44 +0000
committer: Jeff Trawick <trawick@apache.org> 2010-10-01 11:41:44 +0000
commit: b976167c40da485a41416fb0a41a1bc2f79baddc (patch)
tree: ebd654aae566eb6dbd4748507a4b86bc89fbc170 /buckets
parent: f97449ad2ddfc6256951df39a7e657d08d73ca6e (diff)
download: apr-b976167c40da485a41416fb0a41a1bc2f79baddc.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/buckets/apr_brigade.c b/buckets/apr_brigade.c
index 2b5893077..a075674e8 100644
--- a/buckets/apr_brigade.c
+++ b/buckets/apr_brigade.c
@@ -347,7 +347,18 @@ APR_DECLARE(apr_status_t) apr_brigade_split_line(apr_bucket_brigade *bbOut,
             return APR_SUCCESS;
         }
         APR_BUCKET_REMOVE(e);
-        APR_BRIGADE_INSERT_TAIL(bbOut, e);
+        if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) {
+            APR_BRIGADE_INSERT_TAIL(bbOut, e);
+        }
+        else {
+            if (len > 0) {
+                rv = apr_brigade_write(bbOut, NULL, NULL, str, len);
+                if (rv != APR_SUCCESS) {
+                    return rv;
+                }
+            }
+            apr_bucket_destroy(e);
+        }
         readbytes += len;
         /* We didn't find an APR_ASCII_LF within the maximum line length. */
         if (readbytes >= maxbytes) {
author	Jeff Trawick <trawick@apache.org>	2010-10-01 11:41:44 +0000
committer	Jeff Trawick <trawick@apache.org>	2010-10-01 11:41:44 +0000
commit	b976167c40da485a41416fb0a41a1bc2f79baddc (patch)
tree	ebd654aae566eb6dbd4748507a4b86bc89fbc170 /buckets
parent	f97449ad2ddfc6256951df39a7e657d08d73ca6e (diff)
download	apr-b976167c40da485a41416fb0a41a1bc2f79baddc.tar.gz