release 2.4.15.2: fix DoS CVE-2024-24814

fix CVE-2024-24814: DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied GHSA-hxr6-w4gc-7vvv Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
OpenIDC · Feb 6, 2024 · 4022c12 · 4022c12
1 parent 388e3ba
commit 4022c12
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 17 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+02/13/2024
+- CVE-2024-24814: prevent DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied
+  https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+- release 2.4.15.2
+
 01/31/2024
 - avoid crash when Forwarded is not present but OIDCXForwardedHeaders is configured for it; see #1171; thanks @daviddpd
 - bump to 2.4.15.2dev

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.15.2dev],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.15.2],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/util.c b/src/util.c
@@ -1559,23 +1559,24 @@ static char *oidc_util_get_chunk_cookie_name(request_rec *r, const char *cookieN
  * get a cookie value that is split over a number of chunked cookies
  */
 char *oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName, int chunkSize) {
-	char *cookieValue = NULL;
-	char *chunkValue = NULL;
-	int i = 0;
-	if (chunkSize == 0) {
-		cookieValue = oidc_util_get_cookie(r, cookieName);
-	} else {
-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
-		if (chunkCount > 0) {
-			cookieValue = "";
-			for (i = 0; i < chunkCount; i++) {
-				chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
-				if (chunkValue != NULL)
-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue, chunkValue);
-			}
-		} else {
-			cookieValue = oidc_util_get_cookie(r, cookieName);
+	char *cookieValue = NULL, *chunkValue = NULL;
+	int chunkCount = 0, i = 0;
+	if (chunkSize == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	chunkCount = oidc_util_get_chunked_count(r, cookieName);
+	if (chunkCount == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	if ((chunkCount < 0) || (chunkCount > 99)) {
+		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+		return NULL;
+	}
+	for (i = 0; i < chunkCount; i++) {
+		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+		if (chunkValue == NULL) {
+			oidc_warn(r, "could not find chunk %d; aborting", i);
+			break;
 		}
+		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
 	}
 	return cookieValue;
 }