PATCH: apache 1.3.24 chunk size thingy - cert_vucert944335_1.3.24

To: Matthew Wilcox <willy@debian.org>, Steve Langasek <vorlon@debian.org>, debian-security@lists.debian.org
Subject: PATCH: apache 1.3.24 chunk size thingy - cert_vucert944335_1.3.24
From: Matthew Grant <grantma@anathoth.gen.nz>
Date: 20 Jun 2002 20:15:06 +1200
Message-id: <[🔎] 1024560906.27884.12.camel@zion>

Hi THere! 

Here is a rehashed version of the patch cert_vucert944335 chunk fix
patch used in apache_1.3.9-14.1 for potato which works for apache in
woody and sid. 

The only thing stopping it was a comment about EBCDIC! 

Got to go  - test this thing on s390 as well! 

Uploading .debs to fix apache chunk size stuff for i386 on woody and sid
NOW!  Source .dsc and .diff is there if others want to build for other
architectures. The i386 .deb works on my home system.

Did not know how to do NMU with new security system, or someone else can
look after it. Matthew? Steve?

Best Regards, 

Matthew Grant 
-- 
===============================================================================
Matthew Grant	     /\	 ^/\^	grantma@anathoth.gen.nz      /~~~~\
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\
===GPG KeyID: 2EE20270  FingerPrint:
8C2535E1A11DF3EA5EA19125BA4E790E2EE20270==

--- build-tree/apache_1.3.24/src/main/http_protocol.c.cert_vucert944335	Fri Mar 22 02:49:46 2002
+++ build-tree/apache_1.3.24/src/main/http_protocol.c	Thu Jun 20 19:50:31 2002
@@ -2019,21 +2019,35 @@
 static long get_chunk_size(char *b)
 {
     long chunksize = 0;
+    long chunkbits = sizeof(long) * 8;
 
-    while (ap_isxdigit(*b)) {
+    /* Skip leading zeros */
+    while (*b == '0') {
+        ++b;
+    }
+
+    while (ap_isxdigit(*b) && (chunkbits > 0)) {
         int xvalue = 0;
 
 	/* This works even on EBCDIC. */
-        if (*b >= '0' && *b <= '9')
+        if (*b >= '0' && *b <= '9') {
             xvalue = *b - '0';
-        else if (*b >= 'A' && *b <= 'F')
+        }
+        else if (*b >= 'A' && *b <= 'F') {
             xvalue = *b - 'A' + 0xa;
-        else if (*b >= 'a' && *b <= 'f')
+        }
+        else if (*b >= 'a' && *b <= 'f') {
             xvalue = *b - 'a' + 0xa;
+        }
 
         chunksize = (chunksize << 4) | xvalue;
+        chunkbits -= 4;
         ++b;
     }
+    if (ap_isxdigit(*b) && (chunkbits <= 0)) {
+        /* overflow */
+        return -1;
+    }
 
     return chunksize;
 }
@@ -2117,6 +2131,10 @@
                 return 0;
             }
             r->remaining = -1;  /* Indicate footers in-progress */
+        }
+        else if (len_to_read < 0) {
+            r->connection->keepalive = -1;
+            return -1;
         }
         else {
             r->remaining = len_to_read;

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: PATCH: apache 1.3.24 chunk size thingy - cert_vucert944335_1.3.24
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: NIS et propagation de groupes
Next by Date: FIX: Chunk fix for Apache 1.3.24 i386 .deb + source .dsc and .diff.gz available.
Previous by thread: AW: DSA 131: Apache Vulnerability
Next by thread: Re: PATCH: apache 1.3.24 chunk size thingy - cert_vucert944335_1.3.24
Index(es):
- Date
- Thread