ID

VAR-201001-0329

TITLE

Apache mod_proxy module HTTP block coded integer overflow vulnerability

DESCRIPTION

Apache HTTP Server is a popular web server. The Apache server's mod_proxy module has an integer overflow vulnerability that can eventually cause a heap overflow when performing character type conversions. The following is a vulnerable code snippet: \"./src/modules/proxy/proxy_util.c\"long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size){ ... size_t buf_size; long remaining = 0;... for (end_of_chunk = ok = 1; ok;) {... if (chunked) { long chunk_start = 0; n = 0; /* start of a new chunk */ if (end_of_chunk) { end_of_chunk = 0; /* get the chunk size from the stream */ chunk_start = ap_getline(buf, buf_size, f, 0); <-------------- -- [0] reading line from traffic (socket) if ((chunk_start <= 0) || ((size_t)chunk_start + 1 >= buf_size) || !ap_isxdigit(*buf)) { n = -1; } / * parse the chunk size */ else { remaining = ap_get_chunk_size(buf); <---------------- [1] convert readed data to 'long' size! if (re Maining == 0) { /* Last chunk indicated, get footers */... } } else if (remaining < 0) { n = -1; ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r, \"proxy: Remote protocol error, invalid chunk size\"); } } } /* read the chunk */ if (remaining > 0) { n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining)); ------------- [2] convert 'long' to 'int' !!!! if (n > -1) { remaining -= n; end_of_chunk = (remaining == 0); } }......}When the server reads the HTTP header, if it is a block connection, it will wait at [0] and read the block size data from the socket, which will be received at [1]. The data to be converted to a long type; if there is a positive block size, [2] directly converts the long type to an int type, which is An integer overflow may be triggered on the amd64 architecture.

IOT TAXONOMY

AFFECTED PRODUCTS

EXTERNAL IDS

SOURCES

LAST UPDATE DATE

2022-05-04T09:19:26.600000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE