Google Git
Sign in
apache / httpd / bd61fb9492465e7702eac6036b33466495a01cf9
commitbd61fb9492465e7702eac6036b33466495a01cf9[log] [tgz]
authorJoe Orton <jorton@apache.org>Tue Jan 06 11:02:20 2026 +0000
committerJoe Orton <jorton@apache.org>Tue Jan 06 11:02:20 2026 +0000
tree634d1e45bac2155854513cc80566961c030fd9ce
parent9d749066e2da7222208bcbeb992a2de324d6bc27 [diff]
mod_dav: Fix security issue in unreleased MS-WDV support:

* modules/dav/main/ms_wdv.c (mswdv_combined_proppatch):
  The MS-WDV combined PROPPATCH handler reads a 16-byte hex length
  prefix from the request body and uses it directly for memory
  allocation without bounds checking. An attacker can specify an
  extremely large value to trigger OOM and crash the worker process.

  This patch validates the parsed length against LimitXMLRequestBody
  and APR_SIZE_MAX before allocation.

Reported by: Pavel Kohout, Aisle Research, www.aisle.com
Submitted by: Pavel Kohout, jorton
Github: closes #592


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1931148 13f79535-47bb-0310-9956-ffa450edef68
1 file changed
tree: 634d1e45bac2155854513cc80566961c030fd9ce
  1. .github/
  2. build/
  3. changes-entries/
  4. docs/
  5. include/
  6. modules/
  7. os/
  8. server/
  9. srclib/
  10. support/
  11. test/
  12. README.mdREADME
  13. .gdbinit
  14. .gitignore
  15. ABOUT_APACHE
  16. acinclude.m4
  17. ap.d
  18. Apache-apr2.dsw
  19. Apache.dsw
  20. apache_probes.d
  21. BuildAll.dsp
  22. BuildBin.dsp
  23. buildconf
  24. CHANGES
  25. CMakeLists.txt
  26. config.layout
  27. configure.in
  28. emacs-style
  29. httpd.dsp
  30. INSTALL
  31. InstallBin.dsp
  32. LAYOUT
  33. libapreq.dsp
  34. libhttpd.dsp
  35. LICENSE
  36. Makefile.in
  37. Makefile.win
  38. NOTICE
  39. NWGNUmakefile
  40. README
  41. README.CHANGES
  42. README.cmake
  43. README.platforms
  44. ROADMAP
  45. SECURITY.md
  46. STATUS
  47. VERSIONING