diff options
| author | William A. Rowe Jr <wrowe@apache.org> | 2009-08-04 11:33:08 +0000 |
|---|---|---|
| committer | William A. Rowe Jr <wrowe@apache.org> | 2009-08-04 11:33:08 +0000 |
| commit | 27a039c7b4d7597c15eb7f241f97b56abb0d7a01 (patch) | |
| tree | 1e79312420afb90539d8e43db18c0f59a22e71f1 /util-misc | |
| parent | f0bfb97115fe1666d021c0007af8d4f08bd59509 (diff) | |
| download | apr-27a039c7b4d7597c15eb7f241f97b56abb0d7a01.tar.gz | |
SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in pools and rmm, where size alignment was taking place.
Reported by: Matt Lewis <mattlewis@google.com>
* CHANGES
Add entry for CVE-2009-2412.
* memory/unix/apr_pools.c
(allocator_alloc, apr_palloc): Check for overflow after aligning size.
(apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
* util-misc/apr_rmm.c
(apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
Submitted by: Matt Lewis <mattlewis@google.com>, Sander Striker
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@800730 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'util-misc')
| -rw-r--r-- | util-misc/apr_rmm.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/util-misc/apr_rmm.c b/util-misc/apr_rmm.c index e90be1e7c..91e30885f 100644 --- a/util-misc/apr_rmm.c +++ b/util-misc/apr_rmm.c @@ -306,13 +306,17 @@ APR_DECLARE(apr_status_t) apr_rmm_detach(apr_rmm_t *rmm) APR_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize) { + apr_size_t size; apr_rmm_off_t this; - reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; + size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; + if (size < reqsize) { + return 0; + } APR_ANYLOCK_LOCK(&rmm->lock); - this = find_block_of_size(rmm, reqsize); + this = find_block_of_size(rmm, size); if (this) { move_block(rmm, this, 0); @@ -325,18 +329,22 @@ APR_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize) APR_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize) { + apr_size_t size; apr_rmm_off_t this; - reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; + size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; + if (size < reqsize) { + return 0; + } APR_ANYLOCK_LOCK(&rmm->lock); - this = find_block_of_size(rmm, reqsize); + this = find_block_of_size(rmm, size); if (this) { move_block(rmm, this, 0); this += RMM_BLOCK_SIZE; - memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE); + memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE); } APR_ANYLOCK_UNLOCK(&rmm->lock); @@ -349,16 +357,19 @@ APR_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t *rmm, void *entity, apr_rmm_off_t this; apr_rmm_off_t old; struct rmm_block_t *blk; - apr_size_t oldsize; + apr_size_t size, oldsize; if (!entity) { return apr_rmm_malloc(rmm, reqsize); } - reqsize = APR_ALIGN_DEFAULT(reqsize); + size = APR_ALIGN_DEFAULT(reqsize); + if (size < reqsize) { + return 0; + } old = apr_rmm_offset_get(rmm, entity); - if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) { + if ((this = apr_rmm_malloc(rmm, size)) == 0) { return 0; } @@ -366,7 +377,7 @@ APR_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t *rmm, void *entity, oldsize = blk->size; memcpy(apr_rmm_addr_get(rmm, this), - apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize); + apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size); apr_rmm_free(rmm, old); return this; |