blob: 9cd207c0419fc014f45ef86a26ae2a603e84d156 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Wed, 18 Apr 2018 11:55:17 +0200
Subject: [PATCH] * fixes a race condition where aborting streams triggers an
unnecessary timeout.
Note: Re-factored upstream fix
https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81,
so that it applies to httpd v2.4.27 code. Similarly done at
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879
CVE: CVE-2018-1333
Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81]
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c
--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c 2017-04-21 06:52:05.000000000 -0700
+++ httpd-2.4.27/modules/http2/h2_bucket_beam.c 2018-07-24 23:44:40.888330955 -0700
@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke
apr_brigade_destroy(bb);
if (bl) enter_yellow(beam, bl);
+ apr_thread_cond_broadcast(beam->change);
if (beam->cons_ev_cb) {
beam->cons_ev_cb(beam->cons_ctx, beam);
}
@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
h2_beam_lock bl;
if (enter_yellow(beam, &bl) == APR_SUCCESS) {
- if (!beam->aborted) {
- beam->aborted = 1;
- r_purge_sent(beam);
- h2_blist_cleanup(&beam->send_list);
- report_consumption(beam, &bl);
- }
+ beam->aborted = 1;
+ r_purge_sent(beam);
+ h2_blist_cleanup(&beam->send_list);
+ report_consumption(beam, &bl);
if (beam->cond) {
apr_thread_cond_broadcast(beam->cond);
}
|