summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2004-06-10 16:55:03 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2004-06-10 16:55:03 +0000
commit3be0d0939b61a78206efe3b66bf68bb48345fb8c (patch)
tree2119380571df0d82eda6a7bb136f4c16b13cb6f3 /usr.sbin
parent84fa956e0b27924f08ce205eabd84dbefae553a4 (diff)
SECURITY: CAN-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative) Content-Length. [Mark Cox]
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/httpd/src/modules/proxy/proxy_http.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_http.c b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
index e82576d139a..428985691fd 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_http.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
@@ -561,6 +561,13 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
content_length = ap_table_get(resp_hdrs, "Content-Length");
if (content_length != NULL) {
c->len = ap_strtol(content_length, NULL, 10);
+
+ if (c->len < 0) {
+ ap_kill_timeout(r);
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+ "Invalid Content-Length from remote server",
+ NULL));
+ }
}
}