Blame SOURCES/httpd-2.4.6-CVE-2014-0118.patch

008793
diff --git a/modules/filters/mod_deflate.c b/modules/filters/mod_deflate.c
008793
index 79f6f8d..6c415c8 100644
008793
--- a/modules/filters/mod_deflate.c
008793
+++ b/modules/filters/mod_deflate.c
008793
@@ -37,6 +37,7 @@
008793
 #include "httpd.h"
008793
 #include "http_config.h"
008793
 #include "http_log.h"
008793
+#include "http_core.h"
008793
 #include "apr_lib.h"
008793
 #include "apr_strings.h"
008793
 #include "apr_general.h"
008793
@@ -52,6 +53,9 @@
008793
 static const char deflateFilterName[] = "DEFLATE";
008793
 module AP_MODULE_DECLARE_DATA deflate_module;
008793
 
008793
+#define AP_INFLATE_RATIO_LIMIT 200
008793
+#define AP_INFLATE_RATIO_BURST 3
008793
+
008793
 typedef struct deflate_filter_config_t
008793
 {
008793
     int windowSize;
008793
@@ -63,6 +67,12 @@ typedef struct deflate_filter_config_t
008793
     char *note_output_name;
008793
 } deflate_filter_config;
008793
 
008793
+typedef struct deflate_dirconf_t {
008793
+    apr_off_t inflate_limit;
008793
+    int ratio_limit,
008793
+        ratio_burst;
008793
+} deflate_dirconf_t;
008793
+
008793
 /* RFC 1952 Section 2.3 defines the gzip header:
008793
  *
008793
  * +---+---+---+---+---+---+---+---+---+---+
008793
@@ -204,6 +214,14 @@ static void *create_deflate_server_config(apr_pool_t *p, server_rec *s)
008793
     return c;
008793
 }
008793
 
008793
+static void *create_deflate_dirconf(apr_pool_t *p, char *dummy)
008793
+{
008793
+    deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc));
008793
+    dc->ratio_limit = AP_INFLATE_RATIO_LIMIT;
008793
+    dc->ratio_burst = AP_INFLATE_RATIO_BURST;
008793
+    return dc;
008793
+}
008793
+
008793
 static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy,
008793
                                            const char *arg)
008793
 {
008793
@@ -295,6 +313,55 @@ static const char *deflate_set_compressionlevel(cmd_parms *cmd, void *dummy,
008793
     return NULL;
008793
 }
008793
 
008793
+
008793
+static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf,
008793
+                                      const char *arg)
008793
+{
008793
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
008793
+    char *errp;
008793
+
008793
+    if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) {
008793
+        return "DeflateInflateLimitRequestBody is not parsable.";
008793
+    }
008793
+    if (*errp || dc->inflate_limit < 0) {
008793
+        return "DeflateInflateLimitRequestBody requires a non-negative integer.";
008793
+    }
008793
+
008793
+    return NULL;
008793
+}
008793
+
008793
+static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd,
008793
+                                                   void *dirconf,
008793
+                                                   const char *arg)
008793
+{
008793
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
008793
+    int i;
008793
+
008793
+    i = atoi(arg);
008793
+    if (i <= 0)
008793
+        return "DeflateInflateRatioLimit must be positive";
008793
+
008793
+    dc->ratio_limit = i;
008793
+
008793
+    return NULL;
008793
+}
008793
+
008793
+static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd,
008793
+                                                   void *dirconf,
008793
+                                                   const char *arg)
008793
+{
008793
+    deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
008793
+    int i;
008793
+
008793
+    i = atoi(arg);
008793
+    if (i <= 0)
008793
+        return "DeflateInflateRatioBurst must be positive";
008793
+
008793
+    dc->ratio_burst = i;
008793
+
008793
+    return NULL;
008793
+}
008793
+
008793
 typedef struct deflate_ctx_t
008793
 {
008793
     z_stream stream;
008793
@@ -304,6 +371,8 @@ typedef struct deflate_ctx_t
008793
     int (*libz_end_func)(z_streamp);
008793
     unsigned char *validation_buffer;
008793
     apr_size_t validation_buffer_length;
008793
+    int ratio_hits;
008793
+    apr_off_t inflate_total;
008793
     unsigned int inflate_init:1;
008793
     unsigned int filter_init:1;
008793
     unsigned int done:1;
008793
@@ -422,6 +491,22 @@ static void deflate_check_etag(request_rec *r, const char *transform)
008793
     }
008793
 }
008793
 
008793
+/* Check whether the (inflate) ratio exceeds the configured limit/burst. */
008793
+static int check_ratio(request_rec *r, deflate_ctx *ctx,
008793
+                       const deflate_dirconf_t *dc)
008793
+{
008793
+    if (ctx->stream.total_in) {
008793
+        int ratio = ctx->stream.total_out / ctx->stream.total_in;
008793
+        if (ratio < dc->ratio_limit) {
008793
+            ctx->ratio_hits = 0;
008793
+        }
008793
+        else if (++ctx->ratio_hits > dc->ratio_burst) {
008793
+            return 0;
008793
+        }
008793
+    }
008793
+    return 1;
008793
+}
008793
+
008793
 static int have_ssl_compression(request_rec *r)
008793
 {
008793
     const char *comp;
008793
@@ -897,6 +982,8 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
008793
     int zRC;
008793
     apr_status_t rv;
008793
     deflate_filter_config *c;
008793
+    deflate_dirconf_t *dc;
008793
+    apr_off_t inflate_limit;
008793
 
008793
     /* just get out of the way of things we don't want. */
008793
     if (mode != AP_MODE_READBYTES) {
008793
@@ -904,6 +991,7 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
008793
     }
008793
 
008793
     c = ap_get_module_config(r->server->module_config, &deflate_module);
008793
+    dc = ap_get_module_config(r->per_dir_config, &deflate_module);
008793
 
008793
     if (!ctx) {
008793
         char deflate_hdr[10];
008793
@@ -994,6 +1082,12 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
008793
         apr_brigade_cleanup(ctx->bb);
008793
     }
008793
 
008793
+    inflate_limit = dc->inflate_limit; 
008793
+    if (inflate_limit == 0) { 
008793
+        /* The core is checking the deflated body, we'll check the inflated */
008793
+        inflate_limit = ap_get_limit_req_body(f->r);
008793
+    }
008793
+
008793
     if (APR_BRIGADE_EMPTY(ctx->proc_bb)) {
008793
         rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
008793
 
008793
@@ -1038,6 +1132,17 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
008793
 
008793
                 ctx->stream.next_out = ctx->buffer;
008793
                 len = c->bufferSize - ctx->stream.avail_out;
008793
+ 
008793
+                ctx->inflate_total += len;
008793
+                if (inflate_limit && ctx->inflate_total > inflate_limit) { 
008793
+                    inflateEnd(&ctx->stream);
008793
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02647)
008793
+                            "Inflated content length of %" APR_OFF_T_FMT
008793
+                            " is larger than the configured limit"
008793
+                            " of %" APR_OFF_T_FMT, 
008793
+                            ctx->inflate_total, inflate_limit);
008793
+                    return APR_ENOSPC;
008793
+                }
008793
 
008793
                 ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
008793
                 tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
008793
@@ -1073,6 +1178,26 @@ static apr_status_t deflate_in_filter(ap_filter_t *f,
008793
                     ctx->stream.next_out = ctx->buffer;
008793
                     len = c->bufferSize - ctx->stream.avail_out;
008793
 
008793
+                    ctx->inflate_total += len;
008793
+                    if (inflate_limit && ctx->inflate_total > inflate_limit) { 
008793
+                        inflateEnd(&ctx->stream);
008793
+                        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02648)
008793
+                                "Inflated content length of %" APR_OFF_T_FMT
008793
+                                " is larger than the configured limit"
008793
+                                " of %" APR_OFF_T_FMT, 
008793
+                                ctx->inflate_total, inflate_limit);
008793
+                        return APR_ENOSPC;
008793
+                    }
008793
+
008793
+                    if (!check_ratio(r, ctx, dc)) {
008793
+                        inflateEnd(&ctx->stream);
008793
+                        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02649)
008793
+                                "Inflated content ratio is larger than the "
008793
+                                "configured limit %i by %i time(s)",
008793
+                                dc->ratio_limit, dc->ratio_burst);
008793
+                        return APR_EINVAL;
008793
+                    }
008793
+
008793
                     ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
008793
                     tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
008793
                                                       NULL, f->c->bucket_alloc);
008793
@@ -1193,6 +1318,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
008793
     int zRC;
008793
     apr_status_t rv;
008793
     deflate_filter_config *c;
008793
+    deflate_dirconf_t *dc;
008793
 
008793
     /* Do nothing if asked to filter nothing. */
008793
     if (APR_BRIGADE_EMPTY(bb)) {
008793
@@ -1200,6 +1326,7 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
008793
     }
008793
 
008793
     c = ap_get_module_config(r->server->module_config, &deflate_module);
008793
+    dc = ap_get_module_config(r->per_dir_config, &deflate_module);
008793
 
008793
     if (!ctx) {
008793
 
008793
@@ -1462,6 +1589,14 @@ static apr_status_t inflate_out_filter(ap_filter_t *f,
008793
         while (ctx->stream.avail_in != 0) {
008793
             if (ctx->stream.avail_out == 0) {
008793
 
008793
+                if (!check_ratio(r, ctx, dc)) {
008793
+                    ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02650)
008793
+                            "Inflated content ratio is larger than the "
008793
+                            "configured limit %i by %i time(s)",
008793
+                            dc->ratio_limit, dc->ratio_burst);
008793
+                    return APR_EINVAL;
008793
+                }
008793
+
008793
                 ctx->stream.next_out = ctx->buffer;
008793
                 len = c->bufferSize - ctx->stream.avail_out;
008793
 
008793
@@ -1548,12 +1683,20 @@ static const command_rec deflate_filter_cmds[] = {
008793
                   "Set the Deflate Memory Level (1-9)"),
008793
     AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF,
008793
                   "Set the Deflate Compression Level (1-9)"),
008793
+    AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL,
008793
+                  "Set a limit on size of inflated input"),
008793
+    AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL,
008793
+                  "Set the inflate ratio limit above which inflation is "
008793
+                  "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"),
008793
+    AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL,
008793
+                  "Set the maximum number of following inflate ratios above limit "
008793
+                  "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"),
008793
     {NULL}
008793
 };
008793
 
008793
 AP_DECLARE_MODULE(deflate) = {
008793
     STANDARD20_MODULE_STUFF,
008793
-    NULL,                         /* dir config creater */
008793
+    create_deflate_dirconf,       /* dir config creater */
008793
     NULL,                         /* dir merger --- default is to override */
008793
     create_deflate_server_config, /* server config */
008793
     NULL,                         /* merge server config */