发布日期：2004-06-28
更新日期：2004-07-02

受影响系统：

Apache Software Foundation Apache 2.0.49
Apache Software Foundation Apache 2.0.48
Apache Software Foundation Apache 2.0.47

描述：

---

BUGTRAQ  ID: 10619
CVE(CAN) ID: CVE-2004-0493

Apache是一款开放源代码流行的Web服务程序。

Apache ap_escape_html内存分配存在问题，远程攻击者可以利用这个漏洞对Apache服务程序进行拒绝服务攻击。

问题存在于server/protocol.c ap_get_mime_headers_core:
------
      if (last_field != NULL) {
            if ((len > 0) && ((*field == '\t') || *field == ' ')) {
...
fold_buf = (char *)apr_palloc(r->pool, alloc_len);
-----

如果头字段以TAB或SPACE开始，Apache就会分配内存给它。

而在ap_escape_html(r->pool, last_field)函数中，last_field字段可以任意长，根据如下代码：

----
int i, j;

for (i = 0, j = 0; s[i] != '\0'; i++)
        if (s[i] == '<' || s[i] == '>')
            j += 3;
        else if (s[i] == '&')
            j += 4;

    if (j == 0)
        return apr_pstrmemdup(p, s, i);

    x = apr_palloc(p, i + j + 1);

----

(i + j + 1)也可以是任意长度，导致分配任意内存，可消耗大量资源。在linux x86_64上证实发送820MB数据可以溢出(i+j+1)，导致memcpy崩溃而引起拒绝服务。

<*来源：Georgi Guninski （guninski@guninski.com）
  
  链接：http://www.guninski.com/httpd1.html
*>

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* Georgi Guninski提供如下第三方补丁：

----------------------------------
Index: server/protocol.c
===============================================
RCS file: /home/cvspublic/httpd-2.0/server/protocol.c,v
retrieving revision 1.148
diff -u -r1.148 protocol.c
--- server/protocol.c    22 Apr 2004 22:38:03 -0000    1.148
+++ server/protocol.c    13 Jun 2004 19:47:36 -0000
@@ -716,6 +716,23 @@
                  * continuations that span many many lines.
                  */
                 apr_size_t fold_len = last_len + len + 1; /* trailing null */
+
+                if ((fold_len - 1) > r->server->limit_req_fieldsize) {
+                    r->status = HTTP_BAD_REQUEST;
+                    /* report what we have accumulated so far before the
+                     * overflow (last_field) as the field with the problem
+                     */
+                    apr_table_setn(r->notes, "error-notes",
+                                   apr_pstrcat(r->pool,
+                                               "Size of a request header field "
+                                               "after folding "
+                                               "exceeds server limit.<br />\n"
+                                               "<pre>\n",
+                                               ap_escape_html(r->pool, last_field),
+                                               "</pre>\n", NULL));
+                    return;
+                }
+
                 if (fold_len > alloc_len) {
                     char *fold_buf;
                     alloc_len += alloc_len;
----------------------------------

厂商补丁：

Apache Software Foundation
--------------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://jakarta.apache.org/tomcat/index.html

浏览次数：3677
严重程度：0（网友投票）