From: Hans Zandbelt Date: Tue, 6 Feb 2024 23:45:40 +0100 Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814 fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and a crafted Cookie header is supplied https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv Signed-off-by: Hans Zandbelt --- src/util.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/src/util.c b/src/util.c index c6453d0..6782293 100644 --- a/src/util.c +++ b/src/util.c @@ -1288,25 +1288,24 @@ static char* oidc_util_get_chunk_cookie_name(request_rec *r, */ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, int chunkSize) { - char *cookieValue = NULL; - char *chunkValue = NULL; - int i = 0; - if (chunkSize == 0) { - cookieValue = oidc_util_get_cookie(r, cookieName); - } else { - int chunkCount = oidc_util_get_chunked_count(r, cookieName); - if (chunkCount > 0) { - cookieValue = ""; - for (i = 0; i < chunkCount; i++) { - chunkValue = oidc_util_get_cookie(r, - oidc_util_get_chunk_cookie_name(r, cookieName, i)); - if (chunkValue != NULL) - cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, - chunkValue); - } - } else { - cookieValue = oidc_util_get_cookie(r, cookieName); + char *cookieValue = NULL, *chunkValue = NULL; + int chunkCount = 0, i = 0; + if (chunkSize == 0) + return oidc_util_get_cookie(r, cookieName); + chunkCount = oidc_util_get_chunked_count(r, cookieName); + if (chunkCount == 0) + return oidc_util_get_cookie(r, cookieName); + if ((chunkCount < 0) || (chunkCount > 99)) { + oidc_warn(r, "chunk count out of bounds: %d", chunkCount); + return NULL; + } + for (i = 0; i < chunkCount; i++) { + chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); + if (chunkValue == NULL) { + oidc_warn(r, "could not find chunk %d; aborting", i); + break; } + cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue); } return cookieValue; }