Blame SOURCES/httpd-2.4.6-CVE-2018-1301.patch

008793
diff --git a/server/protocol.c b/server/protocol.c
008793
index 9e23325..8428129 100644
008793
--- a/server/protocol.c
008793
+++ b/server/protocol.c
008793
@@ -222,6 +222,12 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
     int fold = flags & AP_GETLINE_FOLD;
008793
     int crlf = flags & AP_GETLINE_CRLF;
008793
 
008793
+    if (!n) {
008793
+        /* Needs room for NUL byte at least */
008793
+        *read = 0;
008793
+        return APR_BADARG;
008793
+    }
008793
+
008793
     /*
008793
      * Initialize last_char as otherwise a random value will be compared
008793
      * against APR_ASCII_LF at the end of the loop if bb only contains
008793
@@ -235,14 +241,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
         rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE,
008793
                             APR_BLOCK_READ, 0);
008793
         if (rv != APR_SUCCESS) {
008793
-            return rv;
008793
+            goto cleanup;
008793
         }
008793
 
008793
         /* Something horribly wrong happened.  Someone didn't block! 
008793
          * (this also happens at the end of each keepalive connection)
008793
          */
008793
         if (APR_BRIGADE_EMPTY(bb)) {
008793
-            return APR_EGENERAL;
008793
+            rv = APR_EGENERAL;
008793
+            goto cleanup;
008793
         }
008793
 
008793
         for (e = APR_BRIGADE_FIRST(bb);
008793
@@ -260,7 +267,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
 
008793
             rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ);
008793
             if (rv != APR_SUCCESS) {
008793
-                return rv;
008793
+                goto cleanup;
008793
             }
008793
 
008793
             if (len == 0) {
008793
@@ -273,17 +280,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
 
008793
             /* Would this overrun our buffer?  If so, we'll die. */
008793
             if (n < bytes_handled + len) {
008793
-                *read = bytes_handled;
008793
-                if (*s) {
008793
-                    /* ensure this string is NUL terminated */
008793
-                    if (bytes_handled > 0) {
008793
-                        (*s)[bytes_handled-1] = '\0';
008793
-                    }
008793
-                    else {
008793
-                        (*s)[0] = '\0';
008793
-                    }
008793
-                }
008793
-                return APR_ENOSPC;
008793
+                rv = APR_ENOSPC;
008793
+                goto cleanup;
008793
             }
008793
 
008793
             /* Do we have to handle the allocation ourselves? */
008793
@@ -291,7 +289,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
                 /* We'll assume the common case where one bucket is enough. */
008793
                 if (!*s) {
008793
                     current_alloc = len;
008793
-                    *s = apr_palloc(r->pool, current_alloc);
008793
+                    *s = apr_palloc(r->pool, current_alloc + 1);
008793
                 }
008793
                 else if (bytes_handled + len > current_alloc) {
008793
                     /* Increase the buffer size */
008793
@@ -302,7 +300,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
                         new_size = (bytes_handled + len) * 2;
008793
                     }
008793
 
008793
-                    new_buffer = apr_palloc(r->pool, new_size);
008793
+                    new_buffer = apr_palloc(r->pool, new_size + 1);
008793
 
008793
                     /* Copy what we already had. */
008793
                     memcpy(new_buffer, *s, bytes_handled);
008793
@@ -326,19 +324,15 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
         }
008793
     }
008793
 
008793
-    if (crlf && (last_char <= *s || last_char[-1] != APR_ASCII_CR)) {
008793
-        *last_char = '\0';
008793
-        bytes_handled = last_char - *s;
008793
-        *read = bytes_handled;
008793
-        return APR_EINVAL;
008793
-    }
008793
-
008793
-    /* Now NUL-terminate the string at the end of the line;
008793
+    /* Now terminate the string at the end of the line;
008793
      * if the last-but-one character is a CR, terminate there */
008793
     if (last_char > *s && last_char[-1] == APR_ASCII_CR) {
008793
         last_char--;
008793
     }
008793
-    *last_char = '\0';
008793
+    else if (crlf) {
008793
+        rv = APR_EINVAL;
008793
+        goto cleanup;
008793
+    }
008793
     bytes_handled = last_char - *s;
008793
 
008793
     /* If we're folding, we have more work to do.
008793
@@ -358,7 +352,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
             rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_SPECULATIVE,
008793
                                 APR_BLOCK_READ, 1);
008793
             if (rv != APR_SUCCESS) {
008793
-                return rv;
008793
+                goto cleanup;
008793
             }
008793
 
008793
             if (APR_BRIGADE_EMPTY(bb)) {
008793
@@ -375,7 +369,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
             rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ);
008793
             if (rv != APR_SUCCESS) {
008793
                 apr_brigade_cleanup(bb);
008793
-                return rv;
008793
+                goto cleanup;
008793
             }
008793
 
008793
             /* Found one, so call ourselves again to get the next line.
008793
@@ -392,10 +386,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
             if (c == APR_ASCII_BLANK || c == APR_ASCII_TAB) {
008793
                 /* Do we have enough space? We may be full now. */
008793
                 if (bytes_handled >= n) {
008793
-                    *read = n;
008793
-                    /* ensure this string is terminated */
008793
-                    (*s)[n-1] = '\0';
008793
-                    return APR_ENOSPC;
008793
+                    rv = APR_ENOSPC;
008793
+                    goto cleanup;
008793
                 }
008793
                 else {
008793
                     apr_size_t next_size, next_len;
008793
@@ -408,7 +400,6 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
                         tmp = NULL;
008793
                     }
008793
                     else {
008793
-                        /* We're null terminated. */
008793
                         tmp = last_char;
008793
                     }
008793
 
008793
@@ -417,7 +408,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
                     rv = ap_rgetline_core(&tmp, next_size,
008793
                                           &next_len, r, 0, bb);
008793
                     if (rv != APR_SUCCESS) {
008793
-                        return rv;
008793
+                        goto cleanup;
008793
                     }
008793
 
008793
                     if (do_alloc && next_len > 0) {
008793
@@ -431,7 +422,7 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
                         memcpy(new_buffer, *s, bytes_handled);
008793
 
008793
                         /* copy the new line, including the trailing null */
008793
-                        memcpy(new_buffer + bytes_handled, tmp, next_len + 1);
008793
+                        memcpy(new_buffer + bytes_handled, tmp, next_len);
008793
                         *s = new_buffer;
008793
                     }
008793
 
008793
@@ -444,8 +435,21 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
008793
             }
008793
         }
008793
     }
008793
+
008793
+cleanup:
008793
+    if (bytes_handled >= n) {
008793
+        bytes_handled = n - 1;
008793
+    }
008793
+    if (*s) {
008793
+        /* ensure the string is NUL terminated */
008793
+        (*s)[bytes_handled] = '\0';
008793
+    }
008793
     *read = bytes_handled;
008793
 
008793
+    if (rv != APR_SUCCESS) {
008793
+        return rv;
008793
+    }
008793
+
008793
     /* PR#43039: We shouldn't accept NULL bytes within the line */
008793
     if (strlen(*s) < bytes_handled) {
008793
         return APR_EINVAL;
008793
@@ -484,6 +488,11 @@ AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int flags)
008793
     apr_size_t len;
008793
     apr_bucket_brigade *tmp_bb;
008793
 
008793
+    if (n < 1) {
008793
+        /* Can't work since we always NUL terminate */
008793
+        return -1;
008793
+    }
008793
+
008793
     tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
008793
     rv = ap_rgetline(&tmp_s, n, &len, r, flags, tmp_bb);
008793
     apr_brigade_destroy(tmp_bb);