Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Tobias Frost Fri, 30 Dec 2022 02:09:16 -0800

I was trying to triage this CVE and *maybe* those revisions are related:

r1894937 ("apreq_parse_headers: Discard CRLF of folded values.")
r1894940 ("reindent (no functional change).") 
r1894977 ("Follow up to r1894937: Fix setting of empty value.")
r1895054 ("Follow up to r1894937: Always eat CRLF at the end of header value.")


diff: 
http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_header.c?r1=1894937&r2=1895054&pathrev=1895054&diff_format=h

Those SVN commits have been introduced at the beginning of the 2.17 release 
cycle, so
would match the description "up to 2.16"…

Said that, there are not many changes between 2.13 and 2.17…
IMHHO using 2.17 might be an option to evaluate. However, someone with more 
perland apache2 modules knowledge should 
double check:
- Apache2 Module Magic Number for the apache2 module has been bumped, which 
according to the comment:

> The Apache2 Module Magic Number for use in the Apache 2.x module structures
> This gets bumped if changes in th4e API will break third party applications
> using this apache2 module

Looking at the changes for the module, with 2.13 released on r1041502,
the changes up to the MMM update are only those as in attached 
r1041792-1042894.diff
(between r1041502 and r1041792 there are only changes in regards to the new dev 
cycle, i.e s/2.13/2.14)
Not sure how that would break API… I do not see any other changes to the 
apache2 until recently, which is still unreleased, past 2.17)

- ./glue/perl/xsbuilder/tables/APR/Request/CallbackTable.pm is almost empty 
>>2.13 … No idea what that means…
(attached the diff between 2.13 and 2.15. It's the same, except date, for 2.17)


-- 
tobi (in the hope the analysis helps…)

Index: module/apache2/apreq_module_apache2.h
===================================================================
--- module/apache2/apreq_module_apache2.h	(revision 1041792)
+++ module/apache2/apreq_module_apache2.h	(revision 1042894)
@@ -171,7 +171,7 @@
  * using this apache2 module
  * @see APREQ_MODULE
  */
-#define APREQ_APACHE2_MMN 20090110
+#define APREQ_APACHE2_MMN 20101207
 
 /** @} */
 
Index: module/apache2/handle.c
===================================================================
--- module/apache2/handle.c	(revision 1041792)
+++ module/apache2/handle.c	(revision 1042894)
@@ -15,8 +15,6 @@
 **  limitations under the License.
 */
 
-#include "assert.h"
-
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
Index: module/apache2/filter.c
===================================================================
--- module/apache2/filter.c	(revision 1041792)
+++ module/apache2/filter.c	(revision 1042894)
@@ -15,8 +15,6 @@
 **  limitations under the License.
 */
 
-#include "assert.h"
-
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
@@ -37,8 +35,8 @@
     /* d == OR_ALL */
     struct dir_config *dc = apr_palloc(p, sizeof *dc);
     dc->temp_dir      = NULL;
-    dc->read_limit    = APREQ_DEFAULT_READ_LIMIT;
-    dc->brigade_limit = APREQ_DEFAULT_BRIGADE_LIMIT;
+    dc->read_limit    = -1;
+    dc->brigade_limit = -1;
     return dc;
 }
 
@@ -52,7 +50,7 @@
     c->brigade_limit = (b->brigade_limit == (apr_size_t)-1) /* overrides ok */
                       ? a->brigade_limit : b->brigade_limit;
 
-    c->read_limit    = (b->read_limit < a->read_limit)  /* why min? */
+    c->read_limit    = (b->read_limit < a->read_limit)  /* yes, min */
                       ? b->read_limit : a->read_limit;
 
     return c;
@@ -532,10 +530,11 @@
         ctx->brigade_limit = APREQ_DEFAULT_BRIGADE_LIMIT;
     } else {
         ctx->temp_dir      = d->temp_dir;
-        ctx->read_limit    = d->read_limit;
-        ctx->brigade_limit = d->brigade_limit;
+        ctx->read_limit    = (d->read_limit == (apr_uint64_t)-1)
+            ? APREQ_DEFAULT_READ_LIMIT : d->read_limit;
+        ctx->brigade_limit = (d->brigade_limit == (apr_size_t)-1)
+            ? APREQ_DEFAULT_BRIGADE_LIMIT : d->brigade_limit;
     }
 
     f->ctx = ctx;
 }
-
Index: CHANGES
===================================================================
--- CHANGES	(revision 1041792)
+++ CHANGES	(revision 1042894)
@@ -3,6 +3,9 @@
 
 @section v2_14 Changes with libapreq2-2.14 (in development)
 
+- C API [joes]
+  Fix mod_apreq2's config merging.
+
 @section v2_13 Changes with libapreq2-2.13 (released December 3, 2010)
 
 - HTTP Only Cookie [Robert Stone & Adam Prime]

--- libapreq2-2.13/glue/perl/xsbuilder/tables/APR/Request/CallbackTable.pm	2010-11-25 20:19:33.000000000 +0100
+++ libapreq2-2.15/glue/perl/xsbuilder/tables/APR/Request/CallbackTable.pm	2020-11-05 17:21:01.000000000 +0100
@@ -2,222 +2,11 @@
 
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 # ! WARNING: generated by My::ParseSource/
-# !          Thu Nov 25 21:19:33 2010
+# !          Thu Nov  5 16:21:01 2020
 # !          do NOT edit, any changes will be lost !
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
-$APR::Request::CallbackTable = [
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const apr_table_t * * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const apr_table_t * *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const apr_table_t * * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const apr_table_t * *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const apr_table_t * * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const apr_table_t * *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apreq_cookie_t *',
-    'name' => 'apreq_cookie_t *(*)(apreq_handle_t * ,const char * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const char *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apreq_param_t *',
-    'name' => 'apreq_param_t *(*)(apreq_handle_t * ,const char * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const char *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apreq_param_t *',
-    'name' => 'apreq_param_t *(*)(apreq_handle_t * ,const char * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const char *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const apreq_parser_t * * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const apreq_parser_t * *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apreq_parser_t * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apreq_parser_t *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apreq_hook_t * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apreq_hook_t *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apr_size_t * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apr_size_t *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apr_size_t )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apr_size_t',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apr_uint64_t * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apr_uint64_t *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,apr_uint64_t )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'apr_uint64_t',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const char * * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const char * *',
-        'name' => undef
-      }
-    ]
-  },
-  {
-    'return_type' => 'apr_status_t',
-    'name' => 'apr_status_t(*)(apreq_handle_t * ,const char * )',
-    'args' => [
-      {
-        'type' => 'apreq_handle_t *',
-        'name' => undef
-      },
-      {
-        'type' => 'const char *',
-        'name' => undef
-      }
-    ]
-  }
-];
+$APR::Request::CallbackTable = [];
 
 
 1;

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Reply via email to