httpd
/
backport-CVE-2022-29404.patch

From 92499e20034485c5e2d29cb85940e309573d976e Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:30:46 2022 UTC
Subject: [PATCH] use a liberal default limit for LimitRequestBody of 1GB

---
 modules/http/http_filters.c |  8 +++++++-
 modules/proxy/proxy_util.c  | 13 -------------
 server/core.c               |  2 +-
 3 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 3e02da8..c3eab95 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1700,7 +1700,8 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
 {
     const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
     const char *lenp = apr_table_get(r->headers_in, "Content-Length");
-
+    apr_off_t limit_req_body = ap_get_limit_req_body(r);
+
     r->read_body = read_policy;
     r->read_chunked = 0;
     r->remaining = 0;
@@ -1735,6 +1736,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
         return HTTP_REQUEST_ENTITY_TOO_LARGE;
     }

+    if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
+        /* will be logged when the body is discarded */
+        return HTTP_REQUEST_ENTITY_TOO_LARGE;
+    }
+
 #ifdef AP_DEBUG
     {
         /* Make sure ap_getline() didn't leave any droppings. */
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 4f1610f..04733f2 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -4249,12 +4249,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
     apr_bucket *e;
     apr_off_t bytes, fsize = 0;
     apr_file_t *tmpfile = NULL;
-    apr_off_t limit;

     *bytes_spooled = 0;
     body_brigade = apr_brigade_create(p, bucket_alloc);

-    limit = ap_get_limit_req_body(r);

     do {
         if (APR_BRIGADE_EMPTY(input_brigade)) {
@@ -4273,17 +4271,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
         apr_brigade_length(input_brigade, 1, &bytes);

         if (*bytes_spooled + bytes > max_mem_spool) {
-            /*
-             * LimitRequestBody does not affect Proxy requests (Should it?).
-             * Let it take effect if we decide to store the body in a
-             * temporary file on disk.
-             */
-            if (limit && (*bytes_spooled + bytes > limit)) {
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
-                              "Request body is larger than the configured "
-                              "limit of %" APR_OFF_T_FMT, limit);
-                return HTTP_REQUEST_ENTITY_TOO_LARGE;
-            }
             /* can't spool any more in memory; write latest brigade to disk */
             if (tmpfile == NULL) {
                 const char *temp_dir;
diff --git a/server/core.c b/server/core.c
index 957eeff..515047b 100644
--- a/server/core.c
+++ b/server/core.c
@@ -71,7 +71,7 @@

 /* LimitRequestBody handling */
 #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
-#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
+#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */

 /* LimitXMLRequestBody handling */
 #define AP_LIMIT_UNSET                  ((long) -1)
--
1.8.3.1