From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Wed, 18 Apr 2018 11:55:17 +0200 Subject: [PATCH] * fixes a race condition where aborting streams triggers an unnecessary timeout. Note: Re-factored upstream fix https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81, so that it applies to httpd v2.4.27 code. Similarly done at http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879 CVE: CVE-2018-1333 Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81] Signed-off-by: Jagadeesh Krishnanjanappa diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c --- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c 2017-04-21 06:52:05.000000000 -0700 +++ httpd-2.4.27/modules/http2/h2_bucket_beam.c 2018-07-24 23:44:40.888330955 -0700 @@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke apr_brigade_destroy(bb); if (bl) enter_yellow(beam, bl); + apr_thread_cond_broadcast(beam->change); if (beam->cons_ev_cb) { beam->cons_ev_cb(beam->cons_ctx, beam); } @@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam) h2_beam_lock bl; if (enter_yellow(beam, &bl) == APR_SUCCESS) { - if (!beam->aborted) { - beam->aborted = 1; - r_purge_sent(beam); - h2_blist_cleanup(&beam->send_list); - report_consumption(beam, &bl); - } + beam->aborted = 1; + r_purge_sent(beam); + h2_blist_cleanup(&beam->send_list); + report_consumption(beam, &bl); if (beam->cond) { apr_thread_cond_broadcast(beam->cond); }