arrfab / rpms / httpd

Forked from rpms/httpd 5 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2016-2161.patch

21495e
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
21495e
index 44b5fc8..6a50ba7 100644
21495e
--- a/modules/aaa/mod_auth_digest.c
21495e
+++ b/modules/aaa/mod_auth_digest.c
21495e
@@ -261,6 +261,26 @@ static void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s)
21495e
     cleanup_tables(NULL);
21495e
 }
21495e
 
21495e
+/* RMM helper functions that behave like single-step malloc/free. */
21495e
+
21495e
+static void *rmm_malloc(apr_rmm_t *rmm, apr_size_t size)
21495e
+{
21495e
+    apr_rmm_off_t offset = apr_rmm_malloc(rmm, size);
21495e
+
21495e
+    if (!offset) {
21495e
+        return NULL;
21495e
+    }
21495e
+
21495e
+    return apr_rmm_addr_get(rmm, offset);
21495e
+}
21495e
+
21495e
+static apr_status_t rmm_free(apr_rmm_t *rmm, void *alloc)
21495e
+{
21495e
+    apr_rmm_off_t offset = apr_rmm_offset_get(rmm, alloc);
21495e
+
21495e
+    return apr_rmm_free(rmm, offset);
21495e
+}
21495e
+
21495e
 #if APR_HAS_SHARED_MEMORY
21495e
 
21495e
 static int initialize_tables(server_rec *s, apr_pool_t *ctx)
21495e
@@ -299,8 +319,8 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
21495e
         return !OK;
21495e
     }
21495e
 
21495e
-    client_list = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*client_list) +
21495e
-                                                          sizeof(client_entry*)*num_buckets));
21495e
+    client_list = rmm_malloc(client_rmm, sizeof(*client_list) +
21495e
+                                         sizeof(client_entry *) * num_buckets);
21495e
     if (!client_list) {
21495e
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
21495e
         return !OK;
21495e
@@ -322,7 +342,7 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
21495e
 
21495e
     /* setup opaque */
21495e
 
21495e
-    opaque_cntr = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*opaque_cntr)));
21495e
+    opaque_cntr = rmm_malloc(client_rmm, sizeof(*opaque_cntr));
21495e
     if (opaque_cntr == NULL) {
21495e
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
21495e
         return !OK;
21495e
@@ -339,7 +359,7 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
21495e
 
21495e
     /* setup one-time-nonce counter */
21495e
 
21495e
-    otn_counter = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*otn_counter)));
21495e
+    otn_counter = rmm_malloc(client_rmm, sizeof(*otn_counter));
21495e
     if (otn_counter == NULL) {
21495e
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
21495e
         return !OK;
21495e
@@ -779,7 +799,7 @@ static client_entry *get_client(unsigned long key, const request_rec *r)
21495e
  * last entry in each bucket and updates the counters. Returns the
21495e
  * number of removed entries.
21495e
  */
21495e
-static long gc(void)
21495e
+static long gc(server_rec *s)
21495e
 {
21495e
     client_entry *entry, *prev;
21495e
     unsigned long num_removed = 0, idx;
21495e
@@ -789,6 +809,12 @@ static long gc(void)
21495e
     for (idx = 0; idx < client_list->tbl_len; idx++) {
21495e
         entry = client_list->table[idx];
21495e
         prev  = NULL;
21495e
+
21495e
+        if (!entry) {
21495e
+            /* This bucket is empty. */
21495e
+            continue;
21495e
+        }
21495e
+
21495e
         while (entry->next) {   /* find last entry */
21495e
             prev  = entry;
21495e
             entry = entry->next;
21495e
@@ -800,8 +826,16 @@ static long gc(void)
21495e
             client_list->table[idx] = NULL;
21495e
         }
21495e
         if (entry) {                    /* remove entry */
21495e
-            apr_rmm_free(client_rmm, apr_rmm_offset_get(client_rmm, entry));
21495e
+            apr_status_t err;
21495e
+
21495e
+            err = rmm_free(client_rmm, entry);
21495e
             num_removed++;
21495e
+
21495e
+            if (err) {
21495e
+                /* Nothing we can really do but log... */
21495e
+                ap_log_error(APLOG_MARK, APLOG_ERR, err, s, APLOGNO()
21495e
+                             "Failed to free auth_digest client allocation");
21495e
+            }
21495e
         }
21495e
     }
21495e
 
21495e
@@ -835,16 +869,16 @@ static client_entry *add_client(unsigned long key, client_entry *info,
21495e
 
21495e
     /* try to allocate a new entry */
21495e
 
21495e
-    entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry)));
21495e
+    entry = rmm_malloc(client_rmm, sizeof(client_entry));
21495e
     if (!entry) {
21495e
-        long num_removed = gc();
21495e
+        long num_removed = gc(s);
21495e
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01766)
21495e
                      "gc'd %ld client entries. Total new clients: "
21495e
                      "%ld; Total removed clients: %ld; Total renewed clients: "
21495e
                      "%ld", num_removed,
21495e
                      client_list->num_created - client_list->num_renewed,
21495e
                      client_list->num_removed, client_list->num_renewed);
21495e
-        entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry)));
21495e
+        entry = rmm_malloc(client_rmm, sizeof(client_entry));
21495e
         if (!entry) {
21495e
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01767)
21495e
                          "unable to allocate new auth_digest client");
21495e