httpd/backport-CVE-2022-29404.patch

From 92499e20034485c5e2d29cb85940e309573d976e Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Wed Jun 1 12:30:46 2022 UTC
Subject: [PATCH] use a liberal default limit for LimitRequestBody of 1GB

---
 modules/http/http_filters.c | 7 +++++++
 server/core.c               | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 325cf53..f25d6f0 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1717,6 +1717,7 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
 {
     const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
     const char *lenp = apr_table_get(r->headers_in, "Content-Length");
+    apr_off_t limit_req_body = ap_get_limit_req_body(r);
 
     r->read_body = read_policy;
     r->read_chunked = 0;
@@ -1755,6 +1756,12 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
         return HTTP_REQUEST_ENTITY_TOO_LARGE;
     }
 
+    if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
+        /* will be logged when the body is discarded */
+        return HTTP_REQUEST_ENTITY_TOO_LARGE;
+    }
+
+
 #ifdef AP_DEBUG
     {
         /* Make sure ap_getline() didn't leave any droppings. */
diff --git a/server/core.c b/server/core.c
index 720b9a5..4e7acc8 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,7 +65,7 @@
 
 /* LimitRequestBody handling */
 #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
-#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
+#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30)
 
 /* LimitXMLRequestBody handling */
 #define AP_LIMIT_UNSET                  ((long) -1)
-- 
1.8.3.1