diff options
author | Ernst Sjöstrand <ernst.sjostrand@verisure.com> | 2021-12-22 09:56:33 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-12-27 11:50:03 -0800 |
commit | ddaf5f92cc553ce7deb43a39de7a731a2f081d2d (patch) | |
tree | 460132dd02a1a768c1ecd0c8876aaed95e5c0110 | |
parent | 82264cbf0b69e9f0f07428a48f26f0261aa9a0d8 (diff) | |
download | meta-openembedded-ddaf5f92cc553ce7deb43a39de7a731a2f081d2d.tar.gz |
libmicrohttpd: Add patch to fix CVE-2021-3466
Extract patch from the 0.9.71 release commit.
Upstream-Status: Backport
CVE: CVE-2021-3466
Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch | 158 | ||||
-rw-r--r-- | meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb | 3 |
2 files changed, 160 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch new file mode 100644 index 000000000..ff792d4da --- /dev/null +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch | |||
@@ -0,0 +1,158 @@ | |||
1 | From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com> | ||
3 | Date: Tue, 21 Dec 2021 11:05:22 +0000 | ||
4 | Subject: [PATCH] Fix buffer overflow in url parser and add test | ||
5 | |||
6 | Reference: | ||
7 | https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241 | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-3466 | ||
11 | |||
12 | Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com> | ||
13 | --- | ||
14 | src/microhttpd/postprocessor.c | 18 ++++++-- | ||
15 | src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++ | ||
16 | 2 files changed, 80 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c | ||
19 | index b7f6b10..ebd1686 100644 | ||
20 | --- a/src/microhttpd/postprocessor.c | ||
21 | +++ b/src/microhttpd/postprocessor.c | ||
22 | @@ -137,8 +137,7 @@ struct MHD_PostProcessor | ||
23 | void *cls; | ||
24 | |||
25 | /** | ||
26 | - * Encoding as given by the headers of the | ||
27 | - * connection. | ||
28 | + * Encoding as given by the headers of the connection. | ||
29 | */ | ||
30 | const char *encoding; | ||
31 | |||
32 | @@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, | ||
33 | pp->state = PP_Error; | ||
34 | break; | ||
35 | case PP_Callback: | ||
36 | - if ( (pp->buffer_pos + (end_key - start_key) > | ||
37 | + if ( (pp->buffer_pos + (end_key - start_key) >= | ||
38 | pp->buffer_size) || | ||
39 | (pp->buffer_pos + (end_key - start_key) < | ||
40 | pp->buffer_pos) ) | ||
41 | @@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, | ||
42 | { | ||
43 | if (NULL == end_key) | ||
44 | end_key = &post_data[poff]; | ||
45 | + if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size) | ||
46 | + { | ||
47 | + pp->state = PP_Error; | ||
48 | + return MHD_NO; | ||
49 | + } | ||
50 | memcpy (&kbuf[pp->buffer_pos], | ||
51 | start_key, | ||
52 | end_key - start_key); | ||
53 | @@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, | ||
54 | last_escape); | ||
55 | pp->must_ikvi = false; | ||
56 | } | ||
57 | + if (PP_Error == pp->state) | ||
58 | + { | ||
59 | + /* State in error, returning failure */ | ||
60 | + return MHD_NO; | ||
61 | + } | ||
62 | return MHD_YES; | ||
63 | } | ||
64 | |||
65 | @@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp) | ||
66 | the post-processing may have been interrupted | ||
67 | at any stage */ | ||
68 | if ( (pp->xbuf_pos > 0) || | ||
69 | - (pp->state != PP_Done) ) | ||
70 | + ( (pp->state != PP_Done) && | ||
71 | + (pp->state != PP_Init) ) ) | ||
72 | ret = MHD_NO; | ||
73 | else | ||
74 | ret = MHD_YES; | ||
75 | diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c | ||
76 | index 2c37565..cba486d 100644 | ||
77 | --- a/src/microhttpd/test_postprocessor.c | ||
78 | +++ b/src/microhttpd/test_postprocessor.c | ||
79 | @@ -451,6 +451,71 @@ test_empty_value (void) | ||
80 | } | ||
81 | |||
82 | |||
83 | +static enum MHD_Result | ||
84 | +value_checker2 (void *cls, | ||
85 | + enum MHD_ValueKind kind, | ||
86 | + const char *key, | ||
87 | + const char *filename, | ||
88 | + const char *content_type, | ||
89 | + const char *transfer_encoding, | ||
90 | + const char *data, | ||
91 | + uint64_t off, | ||
92 | + size_t size) | ||
93 | +{ | ||
94 | + return MHD_YES; | ||
95 | +} | ||
96 | + | ||
97 | + | ||
98 | +static int | ||
99 | +test_overflow () | ||
100 | +{ | ||
101 | + struct MHD_Connection connection; | ||
102 | + struct MHD_HTTP_Header header; | ||
103 | + struct MHD_PostProcessor *pp; | ||
104 | + size_t i; | ||
105 | + size_t j; | ||
106 | + size_t delta; | ||
107 | + char *buf; | ||
108 | + | ||
109 | + memset (&connection, 0, sizeof (struct MHD_Connection)); | ||
110 | + memset (&header, 0, sizeof (struct MHD_HTTP_Header)); | ||
111 | + connection.headers_received = &header; | ||
112 | + header.header = MHD_HTTP_HEADER_CONTENT_TYPE; | ||
113 | + header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED; | ||
114 | + header.header_size = strlen (header.header); | ||
115 | + header.value_size = strlen (header.value); | ||
116 | + header.kind = MHD_HEADER_KIND; | ||
117 | + for (i = 128; i < 1024 * 1024; i += 1024) | ||
118 | + { | ||
119 | + pp = MHD_create_post_processor (&connection, | ||
120 | + 1024, | ||
121 | + &value_checker2, | ||
122 | + NULL); | ||
123 | + buf = malloc (i); | ||
124 | + if (NULL == buf) | ||
125 | + return 1; | ||
126 | + memset (buf, 'A', i); | ||
127 | + buf[i / 2] = '='; | ||
128 | + delta = 1 + (MHD_random_ () % (i - 1)); | ||
129 | + j = 0; | ||
130 | + while (j < i) | ||
131 | + { | ||
132 | + if (j + delta > i) | ||
133 | + delta = i - j; | ||
134 | + if (MHD_NO == | ||
135 | + MHD_post_process (pp, | ||
136 | + &buf[j], | ||
137 | + delta)) | ||
138 | + break; | ||
139 | + j += delta; | ||
140 | + } | ||
141 | + free (buf); | ||
142 | + MHD_destroy_post_processor (pp); | ||
143 | + } | ||
144 | + return 0; | ||
145 | +} | ||
146 | + | ||
147 | + | ||
148 | int | ||
149 | main (int argc, char *const *argv) | ||
150 | { | ||
151 | @@ -463,6 +528,7 @@ main (int argc, char *const *argv) | ||
152 | errorCount += test_multipart (); | ||
153 | errorCount += test_nested_multipart (); | ||
154 | errorCount += test_empty_value (); | ||
155 | + errorCount += test_overflow (); | ||
156 | if (errorCount != 0) | ||
157 | fprintf (stderr, "Error (code: %u)\n", errorCount); | ||
158 | return errorCount != 0; /* 0 == pass */ | ||
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb index 94976d2e9..9d5e85e1a 100644 --- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb | |||
@@ -7,7 +7,8 @@ SECTION = "net" | |||
7 | DEPENDS = "file" | 7 | DEPENDS = "file" |
8 | 8 | ||
9 | SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \ | 9 | SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \ |
10 | " | 10 | file://CVE-2021-3466.patch \ |
11 | " | ||
11 | SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74" | 12 | SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74" |
12 | SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307" | 13 | SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307" |
13 | 14 | ||