File apache2-CVE-2022-22721.patch of Package apache2.27904
Index: httpd-2.4.51/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
===================================================================
--- /dev/null
+++ httpd-2.4.51/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
@@ -0,0 +1,2 @@
+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+ [Ruediger Pluem, Yann Ylavic]
\ No newline at end of file
Index: httpd-2.4.51/server/core.c
===================================================================
--- httpd-2.4.51.orig/server/core.c
+++ httpd-2.4.51/server/core.c
@@ -72,6 +72,8 @@
/* LimitXMLRequestBody handling */
#define AP_LIMIT_UNSET ((long) -1)
#define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
+/* Hard limit for ap_escape_html2() */
+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
#define AP_MIN_SENDFILE_BYTES (256)
@@ -3767,6 +3769,11 @@ static const char *set_limit_xml_req_bod
if (conf->limit_xml_body < 0)
return "LimitXMLRequestBody requires a non-negative integer.";
+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
+
return NULL;
}
@@ -3855,6 +3862,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_
conf = ap_get_core_module_config(r->per_dir_config);
if (conf->limit_xml_body == AP_LIMIT_UNSET)
return AP_DEFAULT_LIMIT_XML_BODY;
+ if (conf->limit_xml_body == 0)
+ return AP_MAX_LIMIT_XML_BODY;
return (apr_size_t)conf->limit_xml_body;
}
Index: httpd-2.4.51/server/util.c
===================================================================
--- httpd-2.4.51.orig/server/util.c
+++ httpd-2.4.51/server/util.c
@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(
AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
{
- int i, j;
+ apr_size_t i, j;
char *x;
/* first, count the number of extra characters */
- for (i = 0, j = 0; s[i] != '\0'; i++)
+ for (i = 0, j = 0; s[i] != '\0'; i++) {
+ if (i + j > APR_SIZE_MAX - 6) {
+ abort();
+ }
if (s[i] == '<' || s[i] == '>')
j += 3;
else if (s[i] == '&')
@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_p
j += 5;
else if (toasc && !apr_isascii(s[i]))
j += 5;
+ }
if (j == 0)
return apr_pstrmemdup(p, s, i);
Index: httpd-2.4.51/server/util_xml.c
===================================================================
--- httpd-2.4.51.orig/server/util_xml.c
+++ httpd-2.4.51/server/util_xml.c
@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(reque
}
total_read += len;
- if (limit_xml_body && total_read > limit_xml_body) {
+ if (total_read > limit_xml_body) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
"XML request body is larger than the configured "
"limit of %lu", (unsigned long)limit_xml_body);
Index: httpd-2.4.51/docs/manual/mod/core.html.en
===================================================================
--- httpd-2.4.51.orig/docs/manual/mod/core.html.en
+++ httpd-2.4.51/docs/manual/mod/core.html.en
@@ -2977,15 +2977,20 @@ from the client</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Core</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>core</td></tr>
</table>
- <p>Limit (in bytes) on maximum size of an XML-based request
- body. A value of <code>0</code> will disable any checking.</p>
+ <p>Limit (in bytes) on the maximum size of an XML-based request
+ body. A value of <code>0</code> will apply a hard limit (depending on
+ 32bit vs 64bit system) allowing for XML escaping within the bounds of
+ the system addressable memory, but it exists for compatibility only
+ and is not recommended since it does not account for memory consumed
+ elsewhere or concurrent requests, which might result in an overall
+ system out-of-memory.<p>
<p>Example:</p>
- <pre class="prettyprint lang-config">LimitXMLRequestBody 0</pre>
-
-
-
+ <pre class="prettyprint lang-config">
+ # Limit of 1 MiB
+ LimitXMLRequestBody 1073741824
+ </pre>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Location" id="Location"><Location></a> <a name="location" id="location">Directive</a></h2>
Index: httpd-2.4.51/docs/manual/mod/core.html.es
===================================================================
--- httpd-2.4.51.orig/docs/manual/mod/core.html.es
+++ httpd-2.4.51/docs/manual/mod/core.html.es
@@ -2527,13 +2527,19 @@ from the client</td></tr>
<tr><th><a href="directive-dict.html#Status">Estado:</a></th><td>Core</td></tr>
<tr><th><a href="directive-dict.html#Module">Módulo:</a></th><td>core</td></tr>
</table>
- <p>Limit (in bytes) on maximum size of an XML-based request
- body. A value of <code>0</code> will disable any checking.</p>
+ <p>Limit (in bytes) on the maximum size of an XML-based request
+ body. A value of <code>0</code> will apply a hard limit (depending on
+ 32bit vs 64bit system) allowing for XML escaping within the bounds of
+ the system addressable memory, but it exists for compatibility only
+ and is not recommended since it does not account for memory consumed
+ elsewhere or concurrent requests, which might result in an overall
+ system out-of-memory.<p>
<p>Example:</p>
<div class="example"><p><code>
- LimitXMLRequestBody 0
+ # Limit of 1 MiB
+ LimitXMLRequestBody 1073741824
</code></p></div>