Patchwork [denzil,17/18] lighttpd: CVE-2012-5533

login
register
mail settings
Submitter Mark Hatle
Date Feb. 7, 2013, 11:56 p.m.
Message ID <5ad95c2baac5c230efad96f49cc489b3ba8bac72.1360270199.git.mark.hatle@windriver.com>
Download mbox | patch
Permalink /patch/44289/
State New
Headers show

Comments

Mark Hatle - Feb. 7, 2013, 11:56 p.m.
From: Li Wang <li.wang@windriver.com>

[ CQID: WIND00392071 ]

fix DoS in Connection header value split.
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../lighttpd/files/lighttpd-CVE-2012-5533.patch    | 120 +++++++++++++++++++++
 meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb  |   3 +-
 2 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch

Patch

diff --git a/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
new file mode 100644
index 0000000..a9a35a6
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
@@ -0,0 +1,120 @@ 
+lighttpd: CVE-2012-5533
+
+fix DoS in Connection header value split.
+http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
+http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ src/request.c |   75 +++++++++++++++++++++++++++++----------------------------
+ 1 files changed, 38 insertions(+), 37 deletions(-)
+
+diff --git a/src/request.c b/src/request.c
+index e76a98f..46d636c 100644
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@ static int request_check_hostname(server *srv, connection *con, buffer *host) {
+ #endif
+ 
+ static int http_request_split_value(array *vals, buffer *b) {
+-	char *s;
+ 	size_t i;
+ 	int state = 0;
++
++	const char *current;
++	const char *token_start = NULL, *token_end = NULL;
+ 	/*
+ 	 * parse
+ 	 *
+@@ -222,53 +224,52 @@ static int http_request_split_value(array *vals, buffer *b) {
+ 
+ 	if (b->used == 0) return 0;
+ 
+-	s = b->ptr;
+-
+-	for (i =0; i < b->used - 1; ) {
+-		char *start = NULL, *end = NULL;
++	current = b->ptr;
++	for (i =  0; i < b->used; ++i, ++current) {
+ 		data_string *ds;
+ 
+ 		switch (state) {
+-		case 0: /* ws */
+-
+-			/* skip ws */
+-			for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++);
+-
+-
+-			state = 1;
+-			break;
+-		case 1: /* value */
+-			start = s;
+-
+-			for (; *s != ',' && i < b->used - 1; i++, s++);
+-			if (start == s) break; /* empty fields are skipped */
+-			end = s - 1;
+-
+-			for (; end > start && (*end == ' ' || *end == '\t'); end--);
+-			if (start == end) break; /* empty fields are skipped */
+-
+-			if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+-				ds = data_string_init();
++		case 0: /* find start of a token */
++			switch (*current) {
++			case ' ':
++			case '\t': /* skip white space */
++			case ',': /* skip empty token */
++				break;
++			case '\0': /* end of string */
++				return 0;
++			default:
++				/* found real data, switch to state 1 to find the end of the token */
++				token_start = token_end = current;
++				state = 1;
++				break;
+ 			}
++			break;
++		case 1: /* find end of token and last non white space character */
++			switch (*current) {
++			case ' ':
++			case '\t':
++				/* space - don't update token_end */
++				break;
++			case ',':
++			case '\0': /* end of string also marks the end of a token */
++				if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
++					ds = data_string_init();
++				}
+ 
+-			buffer_copy_string_len(ds->value, start, end-start+1);
+-			array_insert_unique(vals, (data_unset *)ds);
++				buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
++				array_insert_unique(vals, (data_unset *)ds);
+ 
+-			if (*s == ',') {
+ 				state = 0;
+-				i++;
+-				s++;
+-			} else {
+-				/* end of string */
+-
+-				state = 2;
++				break;
++			default:
++				/* no white space, update token_end to include current character */
++				token_end = current;
++				break;
+ 			}
+ 			break;
+-		default:
+-			i++;
+-			break;
+ 		}
+ 	}
++
+ 	return 0;
+ }
+ 
+-- 
+1.7.0.5
+
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
index c4008af..b86fd4a 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
@@ -16,13 +16,14 @@  RDEPENDS_${PN} += " \
                lighttpd-module-staticfile \
 "
 
-PR = "r1"
+PR = "r2"
 
 SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.bz2 \
         file://index.html.lighttpd \
         file://lighttpd.conf \
         file://lighttpd \
         file://lighttpd-fixing-invalid-read-in-valgrind.patch \
+        file://lighttpd-CVE-2012-5533.patch \
 "
 
 SRC_URI[md5sum] = "63f9df52dcae0ab5689a95c99c54e48a"