From 4022c12f314bd89d127d1be008b1a80a08e1203d Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Tue, 6 Feb 2024 23:45:40 +0100 Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814 fix CVE-2024-24814: DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv Signed-off-by: Hans Zandbelt --- ChangeLog | 5 +++++ configure.ac | 2 +- src/util.c | 33 +++++++++++++++++---------------- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 761e145c..1136582b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +02/13/2024 +- CVE-2024-24814: prevent DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied + https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv +- release 2.4.15.2 + 01/31/2024 - avoid crash when Forwarded is not present but OIDCXForwardedHeaders is configured for it; see #1171; thanks @daviddpd - bump to 2.4.15.2dev diff --git a/configure.ac b/configure.ac index 5f334ddd..0ffa5140 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.4.15.2dev],[hans.zandbelt@openidc.com]) +AC_INIT([mod_auth_openidc],[2.4.15.2],[hans.zandbelt@openidc.com]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff --git a/src/util.c b/src/util.c index 1248d977..7feda79c 100644 --- a/src/util.c +++ b/src/util.c @@ -1559,23 +1559,24 @@ static char *oidc_util_get_chunk_cookie_name(request_rec *r, const char *cookieN * get a cookie value that is split over a number of chunked cookies */ char *oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, int chunkSize) { - char *cookieValue = NULL; - char *chunkValue = NULL; - int i = 0; - if (chunkSize == 0) { - cookieValue = oidc_util_get_cookie(r, cookieName); - } else { - int chunkCount = oidc_util_get_chunked_count(r, cookieName); - if (chunkCount > 0) { - cookieValue = ""; - for (i = 0; i < chunkCount; i++) { - chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); - if (chunkValue != NULL) - cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, chunkValue); - } - } else { - cookieValue = oidc_util_get_cookie(r, cookieName); + char *cookieValue = NULL, *chunkValue = NULL; + int chunkCount = 0, i = 0; + if (chunkSize == 0) + return oidc_util_get_cookie(r, cookieName); + chunkCount = oidc_util_get_chunked_count(r, cookieName); + if (chunkCount == 0) + return oidc_util_get_cookie(r, cookieName); + if ((chunkCount < 0) || (chunkCount > 99)) { + oidc_warn(r, "chunk count out of bounds: %d", chunkCount); + return NULL; + } + for (i = 0; i < chunkCount; i++) { + chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i)); + if (chunkValue == NULL) { + oidc_warn(r, "could not find chunk %d; aborting", i); + break; } + cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue); } return cookieValue; }