Overview

File fix-CVE-2024-24814.patch of Package apache2-mod_auth_openidc.34510

From 4022c12f314bd89d127d1be008b1a80a08e1203d Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@openidc.com>
Date: Tue, 6 Feb 2024 23:45:40 +0100
Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814

fix CVE-2024-24814: DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
---
 ChangeLog    |  5 +++++
 configure.ac |  2 +-
 src/util.c   | 33 +++++++++++++++++----------------
 3 files changed, 23 insertions(+), 17 deletions(-)

Index: mod_auth_openidc-2.3.8/src/util.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/util.c
+++ mod_auth_openidc-2.3.8/src/util.c
@@ -1155,25 +1155,24 @@ static char *oidc_util_get_chunk_cookie_
  */
 char *oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
 		int chunkSize) {
-	char *cookieValue = NULL;
-	char *chunkValue = NULL;
-	int i = 0;
-	if (chunkSize == 0) {
-		cookieValue = oidc_util_get_cookie(r, cookieName);
-	} else {
-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
-		if (chunkCount > 0) {
-			cookieValue = "";
-			for (i = 0; i < chunkCount; i++) {
-				chunkValue = oidc_util_get_cookie(r,
-						oidc_util_get_chunk_cookie_name(r, cookieName, i));
-				if (chunkValue != NULL)
-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
-							chunkValue);
-			}
-		} else {
-			cookieValue = oidc_util_get_cookie(r, cookieName);
+	char *cookieValue = NULL, *chunkValue = NULL;
+	int chunkCount = 0, i = 0;
+	if (chunkSize == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	chunkCount = oidc_util_get_chunked_count(r, cookieName);
+	if (chunkCount == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	if ((chunkCount < 0) || (chunkCount > 99)) {
+		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+		return NULL;
+	}
+	for (i = 0; i < chunkCount; i++) {
+		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+		if (chunkValue == NULL) {
+			oidc_warn(r, "could not find chunk %d; aborting", i);
+			break;
 		}
+		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
 	}
 	return cookieValue;
 }
openSUSE Build Service is sponsored by
Places