This patch should be sufficient to fix the security hole for most
versions of Apache httpd 1.2. Should we put it up on dist/httpd?
....Roy
--- apache-1.2/src/http_protocol.c Thu Jan 4 01:21:10 2001
+++ apache-1.2/src/patched_http_protocol.c Thu Jun 20 18:13:04 2002
@@ -1535,6 +1535,10 @@
}
len_to_read = get_chunk_size(buffer);
+ if (len_to_read < 0) {
+ r->connection->keepalive = -1;
+ return -1;
+ }
if (len_to_read == 0) { /* Last chunk indicated, get footers */
if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
