Bug 2014461
| Summary: | Test case failure: /CoreOS/httpd/Security/CVE-2014-0118-httpd-mod-deflate-denial-of-service | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Branislav Náter <bnater> |
| Component: | httpd | Assignee: | Stepan Broz <sbroz> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | icesalov |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | jorton, luhliari, sbroz |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-14 14:08:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Branislav Náter
2021-10-15 10:04:16 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. This looks like a bug in httpd.
The failed runs on aarch64 all do read the client's request in a single read() -- the request, headers, and the gzipped body. The "deflate_in_filter()" does the inflate completely in the first run while mod_proxy_fcgi is still in ap_proxy_prefetch_input().
The successful run, on the other hand, reads the request and headers in first read() when in ap_proxy_prefetch_input(), and reads the body later when in dispatch().
The above seems harmless and in both situations the inflate is successful and uncompressed data is sent to the FCGI socket to PHP, however, the failed run is missing the CONTENT_LENGTH environment, which does not get sent because "Content-Length" is removed here:
modules/filters/mod_deflate.c:
1184 rv = apr_brigade_flatten(ctx->bb,
1185 ctx->header + ctx->header_len, &len);
1186 if (rv != APR_SUCCESS) {
1187 return rv;
1188 }
1189 if (len && !ctx->header_len) {
1190 apr_table_unset(r->headers_in, "Content-Length");
1191 apr_table_unset(r->headers_in, "Content-MD5");
1192 }
1193 ctx->header_len += len;
1194
1195 } while (ctx->header_len < sizeof(ctx->header));
And while this header is removed again in both scenarios, the failed run happens before send_environment() is done in fcgi_do_request(). The successful run gets the header removed after send_environment() already done (while in dispatch()):
modules/proxy/mod_proxy_fcgi.c:
983 /* Step 2: Send Environment via FCGI_PARAMS */
984 rv = send_environment(conn, r, temp_pool, request_id);
985 if (rv != APR_SUCCESS) {
986 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01074)
987 "Failed writing Environment to %s:", server_portstr);
988 conn->close = 1;
989 return HTTP_SERVICE_UNAVAILABLE;
990 }
991
992 /* Step 3: Read records from the back end server and handle them. */
993 rv = dispatch(conn, conf, r, temp_pool, request_id,
994 &err, &bad_request, &has_responded,
995 input_brigade);
Commenting out modules/filters/mod_deflate.c:1190 makes the test pass (it's a test, not a fix).
While I believe sending incorrect (pre-inflate or none) Content-Length with a POST request is a bug, setting "SetEnv proxy-sendcl 1" fixes the test. https://bz.apache.org/bugzilla/show_bug.cgi?id=57087 |