File httpd-2.2.x-CVE-2008-2364.patch of Package apache2
Taken from: http://svn.apache.org/viewvc?view=rev&revision=666154
--- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2008/06/10 15:29:09 666153
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2008/06/10 15:30:00 666154
@@ -1312,6 +1312,16 @@
return rv;
}
+/*
+ * Limit the number of interim respones we sent back to the client. Otherwise
+ * we suffer from a memory build up. Besides there is NO sense in sending back
+ * an unlimited number of interim responses to the client. Thus if we cross
+ * this limit send back a 502 (Bad Gateway).
+ */
+#ifndef AP_MAX_INTERIM_RESPONSES
+#define AP_MAX_INTERIM_RESPONSES 10
+#endif
+
static
apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
proxy_conn_rec *backend,
@@ -1326,8 +1336,8 @@
apr_bucket *e;
apr_bucket_brigade *bb, *tmp_bb;
int len, backasswards;
- int interim_response; /* non-zero whilst interim 1xx responses
- * are being read. */
+ int interim_response = 0; /* non-zero whilst interim 1xx responses
+ * are being read. */
int pread_len = 0;
apr_table_t *save_table;
int backend_broke = 0;
@@ -1577,7 +1587,12 @@
backend->close += 1;
}
- interim_response = ap_is_HTTP_INFO(r->status);
+ if (ap_is_HTTP_INFO(r->status)) {
+ interim_response++;
+ }
+ else {
+ interim_response = 0;
+ }
if (interim_response) {
/* RFC2616 tells us to forward this.
*
@@ -1778,7 +1793,15 @@
apr_brigade_cleanup(bb);
}
- } while (interim_response);
+ } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
+
+ /* See define of AP_MAX_INTERIM_RESPONSES for why */
+ if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+ apr_psprintf(p,
+ "Too many (%d) interim responses from origin server",
+ interim_response));
+ }
/* If our connection with the client is to be aborted, return DONE. */
if (c->aborted || backend_broke) {
