starlingx/integ
Code Issues Proposed changes
dcd05bea43
integ/base/lighttpd/debian/patches/CVE-2022-37797.patch
Zhixiong Chi cf4c478e66 Debian: lighttpd: fix CVE-2022-37797 
Backport the source patch from the upstream
https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch

Refer to:
https://security-tracker.debian.org/tracker/DLA-3133-1

Test Plan:
Pass: build-pkgs -c -p lighttpd
Pass: build-pkgs -a
Pass: build-image
Pass: Debian AIO jenkins installation
Pass: Successfully host-unlock
Pass: Execute the steps from https://redmine.lighttpd.net/issues/3165
      without the Segmentation fault.

Closes-Bug: 1997327

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Idbcd0937524278f304eb09956e2def71951c4ff4
2022-11-23 21:42:04 -05:00

54 lines
2.3 KiB
Diff
Raw Blame History

From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 22 Nov 2022 18:58:24 -0800
Subject: [PATCH] CVE-2022-37797
[mod_wstunnel] fix crash with bad hybivers (fixes #3165)
(thx Michał Dardas)
x-ref:
"mod_wstunnel null pointer dereference"
https://redmine.lighttpd.net/issues/3165
In order to trigger the reproducer on lighttpd 1.4.53, parsing of the
Sec-Websocket-Version needs to be fixed as has been done in later versions.
Due to internal refactoring, the actual NULL pointer dereference has moved
elsewhere, but still crashes. -- Helmut Grohne
The upstream patch is not a git header format which I have created here.
[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch]
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
src/mod_wstunnel.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index ed5174a..99e3739 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) {
static int wstunnel_check_request(connection *con, handler_ctx *hctx) {
const buffer * const vers =
http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
- const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0;
+ const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0;
if (hybivers < 0 || hybivers > INT_MAX) {
DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version");
con->http_status = 400; /* Bad Request */
@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da
hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/
hctx->conf = p->conf; /*(copies struct)*/
hybivers = wstunnel_check_request(con, hctx);
- if (hybivers < 0) return HANDLER_FINISHED;
+ if (hybivers < 0) {
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
hctx->hybivers = hybivers;
if (0 == hybivers) {
DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00");
--
2.34.1
View Git Blame Copy Permalink