Bug 51219 - apr_fnmatch infinite loop on pattern "/*/WEB-INF/"
apr_fnmatch infinite loop on pattern "/*/WEB-INF/"
Status: RESOLVED FIXED
Product: APR
Classification: Unclassified
Component: APR
HEAD
PC Linux
: P1 regression (vote)
: ---
Assigned To: Apache Portable Runtime bugs mailinglist
http://cvsweb.netbsd.org/bsdweb.cgi/s...
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2011-05-18 13:07 UTC by Chris
Modified: 2013-03-24 07:46 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris 2011-05-18 13:07:04 UTC
After last apr update on Debian 5&6 / i386 for CVE-2011-0419 we observed multiple of our apache servers running 100%+ CPU randomely.

We identified function going into an infinite loop to be  apr_fnmatch trying to match pattern '/*/WEB-INF/' against any non matching uri.

This pattern is matched due to following directive in our .conf:

<Location "/*/WEB-INF/">
  deny from all
</Location> 

Problem was reproduced with Apache apr-1.4.4 recompiled from sources adding the extra testcase (testfnmatch.c):

    {"/*/WEB-INF/", "/wontmatch",       FAIL},

Problem daesn't exist in apr-1.3.12.

Debian patch is apparently a back port of new code in 1.2/1.4 for Deb 5/6

Debian patch info: http://packetstormsecurity.org/files/view/101435/dsa-2237-1.txt

Chris
Comment 1 Chris 2011-05-19 10:22:27 UTC
Bug reported to debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
Comment 2 Maksymilian 2011-05-21 07:06:15 UTC
Instead of changing the algorithm, it is better to add recursion limit and set 64 (not bigger). I see only one recursion call inside apr_fnmatch

457 	while (apr_dir_read(&finfo, APR_FINFO_NAME, dir) == APR_SUCCESS) {
458 	if (apr_fnmatch(pattern, finfo.name, 0) == APR_SUCCESS) { 

so better limit this call, than change the algorithm.
Comment 3 Stefan Fritsch 2013-03-24 07:46:56 UTC
This is fixed in 1.4.5