Bug 10146

Summary: 2.0.39 DoS
Product: Apache httpd-2 Reporter: Kozin Maxim <madmax>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: blocker    
Priority: P3    
Version: 2.0.39   
Target Milestone: ---   
Hardware: PC   
OS: FreeBSD   
Attachments: code for DoS 2.0.39 on FreeBSD 4.[56]

Description Kozin Maxim 2002-06-22 10:50:15 UTC
Hello.

Some time ago in different maillist was post:
------------------------------------------------------
Date: Wed, 19 Jun 2002 12:45:24 -0700
From: gobbles@hushmail.com
To: vulndev@vulndev.org, submissions@packetstormsecurity.org,
     bugs@securitytracker.net, bugtraq@securityfocus.com,
     vuln-dev@securityfocus.com
Subject: Remote Apache 1.3.x Exploit
----------------------------------------------------------------
Mail has attachment, which "exploit for openbsd" code.
But "exploit" has one side effect  - for apache 2.0.39
it make DoS. Child eat all memory, swap and die with diagnostic
".
Jun 20 11:16:39 solo /kernel: pid 49564 (httpd), uid 65534, was killed: out of
swap space
"
In gdb we can see, that child loop in 
modules/http/http_protocol.c in function:
ap_discard_request_body():
1962        } while (!seen_eos);
(gdb) n
1920            rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
(gdb) n
1923            if (rv != APR_SUCCESS) {
(gdb) n
1939            APR_BRIGADE_FOREACH(bucket, bb) {
(gdb) n
1961            apr_brigade_cleanup(bb);
(gdb) 

And 2.0.40-dev from cvs DoS-ed too.

p.s.
 OS: FreeBSD 4.5 and 4.6 releases

b.r.
 Kozin Maxim
Comment 1 Kozin Maxim 2002-06-22 10:51:45 UTC
Created attachment 2156 [details]
code for DoS 2.0.39 on FreeBSD 4.[56]
Comment 2 Justin Erenkrantz 2002-07-08 07:03:55 UTC
Fixed in CVS.  Will be included in next release (2.0.40).  Thanks for using Apache httpd!