- Backport security fixes in ssl_engine_io.c

* [SECURITY] mod_ssl: Fix potential input filter segfaults in
  SPECULATIVE mode. (rollback handling for AP_MODE_SPECULATIVE)
  "This issue has possible security implications; it's been assigned CVE
  CAN-2004-0751 (cve.mitre.org)."
  http://issues.apache.org/bugzilla/show_bug.cgi?id=30134

* [SECURITY] mod_ssl: Fix potential infinite loop.
  (potential infinite loop in ssl_io_input_getline if connection is
  aborted without inctx->rc being set.)
  http://issues.apache.org/bugzilla/show_bug.cgi?id=27945
  http://issues.apache.org/bugzilla/show_bug.cgi?id=29690

Obtained from:  Apache CVS (httpd-2.0 HEAD)

www/apache2/Makefile

@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.50
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		http://sheepkiller.nerim.net/ports/${PORTNAME}/:powerlogo

www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c

@@ -0,0 +1,34 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
+retrieving revision 1.124
+retrieving revision 1.126
+diff -u -r1.124 -r1.126
+--- modules/ssl/ssl_engine_io.c	2004/07/13 18:11:22	1.124
++++ modules/ssl/ssl_engine_io.c	2004/08/17 16:31:23	1.126
+@@ -564,8 +564,12 @@
+         *len = bytes;
+         if (inctx->mode == AP_MODE_SPECULATIVE) {
+             /* We want to rollback this read. */
+-            inctx->cbuf.value -= bytes;
+-            inctx->cbuf.length += bytes;
++            if (inctx->cbuf.length > 0) {
++                inctx->cbuf.value -= bytes;
++                inctx->cbuf.length += bytes;
++            } else {
++                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
++            }
+             return APR_SUCCESS;
+         }
+         /* This could probably be *len == wanted, but be safe from stray
+@@ -589,6 +593,10 @@
+     while (1) {
+ 
+         if (!inctx->filter_ctx->pssl) {
++            /* Ensure a non-zero error code is returned */
++            if (inctx->rc == APR_SUCCESS) {
++                inctx->rc = APR_EGENERAL;
++            }
+             break;
+         }
+ 
+

www/apache20/Makefile

@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.50
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		http://sheepkiller.nerim.net/ports/${PORTNAME}/:powerlogo

www/apache20/files/patch-secfix-modules:ssl:ssl_engine_io.c

@@ -0,0 +1,34 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
+retrieving revision 1.124
+retrieving revision 1.126
+diff -u -r1.124 -r1.126
+--- modules/ssl/ssl_engine_io.c	2004/07/13 18:11:22	1.124
++++ modules/ssl/ssl_engine_io.c	2004/08/17 16:31:23	1.126
+@@ -564,8 +564,12 @@
+         *len = bytes;
+         if (inctx->mode == AP_MODE_SPECULATIVE) {
+             /* We want to rollback this read. */
+-            inctx->cbuf.value -= bytes;
+-            inctx->cbuf.length += bytes;
++            if (inctx->cbuf.length > 0) {
++                inctx->cbuf.value -= bytes;
++                inctx->cbuf.length += bytes;
++            } else {
++                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
++            }
+             return APR_SUCCESS;
+         }
+         /* This could probably be *len == wanted, but be safe from stray
+@@ -589,6 +593,10 @@
+     while (1) {
+ 
+         if (!inctx->filter_ctx->pssl) {
++            /* Ensure a non-zero error code is returned */
++            if (inctx->rc == APR_SUCCESS) {
++                inctx->rc = APR_EGENERAL;
++            }
+             break;
+         }
+ 
+