security fix for CVE-2009-2412

https://svn.apache.org/viewvc?view=rev&revision=800732 from Stefan Sperling
2009-08-07 04:49:38 +00:00 · 2009-08-07 04:49:38 +00:00 · 542e4c2d64
commit 542e4c2d64
parent f84330e752
2 changed files with 87 additions and 2 deletions
--- a/devel/apr-util/Makefile
+++ b/devel/apr-util/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.24 2009/03/11 21:02:18 bernd Exp $
+# $OpenBSD: Makefile,v 1.25 2009/08/07 04:49:38 steven Exp $

 COMMENT=	companion library to APR

 V=		1.2.10
 DISTNAME=	apr-util-$V
-FULLPKGNAME=	apr-util${MT}-$Vp3${FLAVOR_EXT:S/-mt//}
+FULLPKGNAME=	apr-util${MT}-$Vp4${FLAVOR_EXT:S/-mt//}
 SHARED_LIBS +=	aprutil-1${MT}          2.11     # .2.11

 CATEGORIES=	devel
--- a/devel/apr-util/patches/patch-misc_apr_rmm_c
+++ b/devel/apr-util/patches/patch-misc_apr_rmm_c
@ -0,0 +1,85 @@
+$OpenBSD: patch-misc_apr_rmm_c,v 1.1 2009/08/07 04:49:38 steven Exp $
+
+SECURITY: CVE-2009-2412 (cve.mitre.org)
+Fix overflow in rmm, where size alignment was taking place.
+
+--- misc/apr_rmm.c.orig	Fri Aug  5 11:43:16 2005
+++ misc/apr_rmm.c	Fri Aug  7 00:08:22 2009
+@@ -306,13 +306,17 @@ APU_DECLARE(apr_status_t) apr_rmm_detach(apr_rmm_t *rm
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
+    apr_size_t size;
+     apr_rmm_off_t this;
+     
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+@@ -325,18 +329,22 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *r
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
+    apr_size_t size;
+     apr_rmm_off_t this;
+         
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+         this += RMM_BLOCK_SIZE;
+-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
+        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
+     }
+ 
+     APR_ANYLOCK_UNLOCK(&rmm->lock);
+@@ -349,16 +357,19 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t *
+     apr_rmm_off_t this;
+     apr_rmm_off_t old;
+     struct rmm_block_t *blk;
+-    apr_size_t oldsize;
+    apr_size_t size, oldsize;
+ 
+     if (!entity) {
+         return apr_rmm_malloc(rmm, reqsize);
+     }
+ 
+-    reqsize = APR_ALIGN_DEFAULT(reqsize);
+    size = APR_ALIGN_DEFAULT(reqsize);
+    if (size < reqsize) {
+        return 0;
+    }
+     old = apr_rmm_offset_get(rmm, entity);
+ 
+-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
+    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
+         return 0;
+     }
+ 
+@@ -366,7 +377,7 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t *
+     oldsize = blk->size;
+ 
+     memcpy(apr_rmm_addr_get(rmm, this),
+-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
+           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
+     apr_rmm_free(rmm, old);
+ 
+     return this;