summaryrefslogtreecommitdiff
path: root/buckets
diff options
context:
space:
mode:
authorNick Kew <niq@apache.org>2011-05-13 12:03:59 +0000
committerNick Kew <niq@apache.org>2011-05-13 12:03:59 +0000
commiteaaa444ad982a1c1380c78d0e6457f21956d7139 (patch)
treedc8908ac517670c8b61e36e7275550f7768c8a23 /buckets
parent5e9e664d4e2136a88df4ac64f920cacaaa36ed21 (diff)
downloadapr-eaaa444ad982a1c1380c78d0e6457f21956d7139.tar.gz
apr_brigades: prevent infinite loop on a corrupt brigade
PR 51062 git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1102687 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'buckets')
-rw-r--r--buckets/apr_brigade.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/buckets/apr_brigade.c b/buckets/apr_brigade.c
index a075674e8..02319214f 100644
--- a/buckets/apr_brigade.c
+++ b/buckets/apr_brigade.c
@@ -38,11 +38,16 @@ APR_DECLARE(apr_status_t) apr_brigade_cleanup(void *data)
{
apr_bucket_brigade *b = data;
apr_bucket *e;
+ apr_bucket *prev = NULL;
APR_BRIGADE_CHECK_CONSISTENCY(b);
while (!APR_BRIGADE_EMPTY(b)) {
e = APR_BRIGADE_FIRST(b);
+ if (e == prev) { /* PR#51062: prevent infinite loop on a corrupt brigade */
+ return APR_EGENERAL; /* FIXME: this should definitely be a "can't happen"! */
+ }
+ prev = e;
apr_bucket_delete(e);
}
/* We don't need to free(bb) because it's allocated from a pool. */
@@ -323,6 +328,7 @@ APR_DECLARE(apr_status_t) apr_brigade_split_line(apr_bucket_brigade *bbOut,
apr_off_t maxbytes)
{
apr_off_t readbytes = 0;
+ apr_bucket *prev = NULL;
while (!APR_BRIGADE_EMPTY(bbIn)) {
const char *pos;
@@ -332,6 +338,10 @@ APR_DECLARE(apr_status_t) apr_brigade_split_line(apr_bucket_brigade *bbOut,
apr_bucket *e;
e = APR_BRIGADE_FIRST(bbIn);
+ if (e == prev) { /* PR#51062: prevent infinite loop on a corrupt brigade */
+ return APR_EGENERAL; /* FIXME: this should definitely be a "can't happen"! */
+ }
+ prev = e;
rv = apr_bucket_read(e, &str, &len, block);
if (rv != APR_SUCCESS) {
View Lorry Controller Status