2 files changed, 160 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch
new file mode 100644
index 0000000000..ff792d4daa
--- /dev/null
+++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch
@@ -0,0 +1,158 @@
+From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com>
+Date: Tue, 21 Dec 2021 11:05:22 +0000
+Subject: [PATCH] Fix buffer overflow in url parser and add test
+Reference:
+https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
+Upstream-Status: Backport
+CVE: CVE-2021-3466
+Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
+---
+ src/microhttpd/postprocessor.c      | 18 ++++++--
+ src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+), 4 deletions(-)
+diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+index b7f6b10..ebd1686 100644
+--- a/src/microhttpd/postprocessor.c
+++ b/src/microhttpd/postprocessor.c
+@@ -137,8 +137,7 @@ struct MHD_PostProcessor
+   void *cls;
+ 
+   /**
+-   * Encoding as given by the headers of the
+-   * connection.
+   * Encoding as given by the headers of the connection.
+    */
+   const char *encoding;
+ 
+@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+       pp->state = PP_Error;
+       break;
+     case PP_Callback:
+-      if ( (pp->buffer_pos + (end_key - start_key) >
+      if ( (pp->buffer_pos + (end_key - start_key) >=
+             pp->buffer_size) ||
+            (pp->buffer_pos + (end_key - start_key) <
+             pp->buffer_pos) )
+@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+   {
+     if (NULL == end_key) 
+       end_key = &post_data[poff];
+    if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size)
+    {
+      pp->state = PP_Error;
+      return MHD_NO;
+    }
+     memcpy (&kbuf[pp->buffer_pos],
+             start_key,
+             end_key - start_key);
+@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
+                    last_escape);
+     pp->must_ikvi = false;
+   }
+  if (PP_Error == pp->state)
+  {
+    /* State in error, returning failure */
+    return MHD_NO;
+  }
+   return MHD_YES;
+ }
+ 
+@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp)
+      the post-processing may have been interrupted
+      at any stage */
+   if ( (pp->xbuf_pos > 0) ||
+-       (pp->state != PP_Done) )
+       ( (pp->state != PP_Done) &&
+         (pp->state != PP_Init) ) )
+     ret = MHD_NO;
+   else
+     ret = MHD_YES;
+diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c
+index 2c37565..cba486d 100644
+--- a/src/microhttpd/test_postprocessor.c
+++ b/src/microhttpd/test_postprocessor.c
+@@ -451,6 +451,71 @@ test_empty_value (void)
+ }
+ 
+ 
+static enum MHD_Result
+value_checker2 (void *cls,
+                enum MHD_ValueKind kind,
+                const char *key,
+                const char *filename,
+                const char *content_type,
+                const char *transfer_encoding,
+                const char *data,
+                uint64_t off,
+                size_t size)
+{
+  return MHD_YES;
+}
+
+
+static int
+test_overflow ()
+{
+  struct MHD_Connection connection;
+  struct MHD_HTTP_Header header;
+  struct MHD_PostProcessor *pp;
+  size_t i;
+  size_t j;
+  size_t delta;
+  char *buf;
+
+  memset (&connection, 0, sizeof (struct MHD_Connection));
+  memset (&header, 0, sizeof (struct MHD_HTTP_Header));
+  connection.headers_received = &header;
+  header.header = MHD_HTTP_HEADER_CONTENT_TYPE;
+  header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
+  header.header_size = strlen (header.header);
+  header.value_size = strlen (header.value);
+  header.kind = MHD_HEADER_KIND;
+  for (i = 128; i < 1024 * 1024; i += 1024)
+  {
+    pp = MHD_create_post_processor (&connection,
+                                    1024,
+                                    &value_checker2,
+                                    NULL);
+    buf = malloc (i);
+    if (NULL == buf)
+      return 1;
+    memset (buf, 'A', i);
+    buf[i / 2] = '=';
+    delta = 1 + (MHD_random_ () % (i - 1));
+    j = 0;
+    while (j < i)
+    {
+      if (j + delta > i)
+        delta = i - j;
+      if (MHD_NO ==
+          MHD_post_process (pp,
+                            &buf[j],
+                            delta))
+        break;
+      j += delta;
+    }
+    free (buf);
+    MHD_destroy_post_processor (pp);
+  }
+  return 0;
+}
+
+
+ int
+ main (int argc, char *const *argv)
+ {
+@@ -463,6 +528,7 @@ main (int argc, char *const *argv)
+   errorCount += test_multipart ();
+   errorCount += test_nested_multipart ();
+   errorCount += test_empty_value ();
+  errorCount += test_overflow ();
+   if (errorCount != 0)
+     fprintf (stderr, "Error (code: %u)\n", errorCount);
+   return errorCount != 0;       /* 0 == pass */
diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
index 94976d2e98..9d5e85e1ad 100644
--- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
+++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
@@ -7,7 +7,8 @@ SECTION = "net"
 DEPENDS = "file"
 SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \
-"
+           file://CVE-2021-3466.patch \
+           "
 SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74"
 SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307"

diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch new file mode 100644 index 0000000000..ff792d4daa --- /dev/null +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch
@@ -0,0 +1,158 @@
		1	From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com>
		3	Date: Tue, 21 Dec 2021 11:05:22 +0000
		4	Subject: [PATCH] Fix buffer overflow in url parser and add test
		5
		6	Reference:
		7	https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2021-3466
		11
		12	Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
		13	---
		14	src/microhttpd/postprocessor.c \| 18 ++++++--
		15	src/microhttpd/test_postprocessor.c \| 66 +++++++++++++++++++++++++++++
		16	2 files changed, 80 insertions(+), 4 deletions(-)
		17
		18	diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
		19	index b7f6b10..ebd1686 100644
		20	--- a/src/microhttpd/postprocessor.c
		21	+++ b/src/microhttpd/postprocessor.c
		22	@@ -137,8 +137,7 @@ struct MHD_PostProcessor
		23	void *cls;
		24
		25	/**
		26	- * Encoding as given by the headers of the
		27	- * connection.
		28	+ * Encoding as given by the headers of the connection.
		29	*/
		30	const char *encoding;
		31
		32	@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
		33	pp->state = PP_Error;
		34	break;
		35	case PP_Callback:
		36	- if ( (pp->buffer_pos + (end_key - start_key) >
		37	+ if ( (pp->buffer_pos + (end_key - start_key) >=
		38	pp->buffer_size) \|\|
		39	(pp->buffer_pos + (end_key - start_key) <
		40	pp->buffer_pos) )
		41	@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
		42	{
		43	if (NULL == end_key)
		44	end_key = &post_data[poff];
		45	+ if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size)
		46	+ {
		47	+ pp->state = PP_Error;
		48	+ return MHD_NO;
		49	+ }
		50	memcpy (&kbuf[pp->buffer_pos],
		51	start_key,
		52	end_key - start_key);
		53	@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp,
		54	last_escape);
		55	pp->must_ikvi = false;
		56	}
		57	+ if (PP_Error == pp->state)
		58	+ {
		59	+ /* State in error, returning failure */
		60	+ return MHD_NO;
		61	+ }
		62	return MHD_YES;
		63	}
		64
		65	@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp)
		66	the post-processing may have been interrupted
		67	at any stage */
		68	if ( (pp->xbuf_pos > 0) \|\|
		69	- (pp->state != PP_Done) )
		70	+ ( (pp->state != PP_Done) &&
		71	+ (pp->state != PP_Init) ) )
		72	ret = MHD_NO;
		73	else
		74	ret = MHD_YES;
		75	diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c
		76	index 2c37565..cba486d 100644
		77	--- a/src/microhttpd/test_postprocessor.c
		78	+++ b/src/microhttpd/test_postprocessor.c
		79	@@ -451,6 +451,71 @@ test_empty_value (void)
		80	}
		81
		82
		83	+static enum MHD_Result
		84	+value_checker2 (void *cls,
		85	+ enum MHD_ValueKind kind,
		86	+ const char *key,
		87	+ const char *filename,
		88	+ const char *content_type,
		89	+ const char *transfer_encoding,
		90	+ const char *data,
		91	+ uint64_t off,
		92	+ size_t size)
		93	+{
		94	+ return MHD_YES;
		95	+}
		96	+
		97	+
		98	+static int
		99	+test_overflow ()
		100	+{
		101	+ struct MHD_Connection connection;
		102	+ struct MHD_HTTP_Header header;
		103	+ struct MHD_PostProcessor *pp;
		104	+ size_t i;
		105	+ size_t j;
		106	+ size_t delta;
		107	+ char *buf;
		108	+
		109	+ memset (&connection, 0, sizeof (struct MHD_Connection));
		110	+ memset (&header, 0, sizeof (struct MHD_HTTP_Header));
		111	+ connection.headers_received = &header;
		112	+ header.header = MHD_HTTP_HEADER_CONTENT_TYPE;
		113	+ header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED;
		114	+ header.header_size = strlen (header.header);
		115	+ header.value_size = strlen (header.value);
		116	+ header.kind = MHD_HEADER_KIND;
		117	+ for (i = 128; i < 1024 * 1024; i += 1024)
		118	+ {
		119	+ pp = MHD_create_post_processor (&connection,
		120	+ 1024,
		121	+ &value_checker2,
		122	+ NULL);
		123	+ buf = malloc (i);
		124	+ if (NULL == buf)
		125	+ return 1;
		126	+ memset (buf, 'A', i);
		127	+ buf[i / 2] = '=';
		128	+ delta = 1 + (MHD_random_ () % (i - 1));
		129	+ j = 0;
		130	+ while (j < i)
		131	+ {
		132	+ if (j + delta > i)
		133	+ delta = i - j;
		134	+ if (MHD_NO ==
		135	+ MHD_post_process (pp,
		136	+ &buf[j],
		137	+ delta))
		138	+ break;
		139	+ j += delta;
		140	+ }
		141	+ free (buf);
		142	+ MHD_destroy_post_processor (pp);
		143	+ }
		144	+ return 0;
		145	+}
		146	+
		147	+
		148	int
		149	main (int argc, char const argv)
		150	{
		151	@@ -463,6 +528,7 @@ main (int argc, char const argv)
		152	errorCount += test_multipart ();
		153	errorCount += test_nested_multipart ();
		154	errorCount += test_empty_value ();
		155	+ errorCount += test_overflow ();
		156	if (errorCount != 0)
		157	fprintf (stderr, "Error (code: %u)\n", errorCount);
		158	return errorCount != 0; /* 0 == pass */


diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb index 94976d2e98..9d5e85e1ad 100644 --- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb
@@ -7,7 +7,8 @@ SECTION = "net"
7	DEPENDS = "file"	7	DEPENDS = "file"
8		8
9	SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \	9	SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \
10	"	10	file://CVE-2021-3466.patch \
		11	"
11	SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74"	12	SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74"
12	SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307"	13	SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307"
13		14