diff options
author | Frank de Brabander <debrabander@gmail.com> | 2022-10-18 18:37:51 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-09 17:42:03 +0000 |
commit | 600261eafa3866761dd38fdf8987fddcc10fde6a (patch) | |
tree | 2a6246975f820031fc31980333b693a89cc89c0d /meta | |
parent | 5502d7326cc5e8da56227457a2f874d22cd49389 (diff) | |
download | poky-600261eafa3866761dd38fdf8987fddcc10fde6a.tar.gz |
cve-update-db-native: add timeout to urlopen() calls
The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.
This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.
(From OE-Core rev: f51a6742bcae3a151a326d17cd44935815eb78c7)
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5f6652854f544106b40d860de2946954de642f3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 85874ead01..59e7d7dc2c 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb | |||
@@ -17,6 +17,9 @@ deltask do_populate_sysroot | |||
17 | # Use a negative value to skip the update | 17 | # Use a negative value to skip the update |
18 | CVE_DB_UPDATE_INTERVAL ?= "86400" | 18 | CVE_DB_UPDATE_INTERVAL ?= "86400" |
19 | 19 | ||
20 | # Timeout for blocking socket operations, such as the connection attempt. | ||
21 | CVE_SOCKET_TIMEOUT ?= "60" | ||
22 | |||
20 | python () { | 23 | python () { |
21 | if not bb.data.inherits_class("cve-check", d): | 24 | if not bb.data.inherits_class("cve-check", d): |
22 | raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") | 25 | raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") |
@@ -39,6 +42,8 @@ python do_fetch() { | |||
39 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 42 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
40 | db_dir = os.path.dirname(db_file) | 43 | db_dir = os.path.dirname(db_file) |
41 | 44 | ||
45 | cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) | ||
46 | |||
42 | if os.path.exists("{0}-journal".format(db_file)): | 47 | if os.path.exists("{0}-journal".format(db_file)): |
43 | # If a journal is present the last update might have been interrupted. In that case, | 48 | # If a journal is present the last update might have been interrupted. In that case, |
44 | # just wipe any leftovers and force the DB to be recreated. | 49 | # just wipe any leftovers and force the DB to be recreated. |
@@ -77,7 +82,7 @@ python do_fetch() { | |||
77 | 82 | ||
78 | # Retrieve meta last modified date | 83 | # Retrieve meta last modified date |
79 | try: | 84 | try: |
80 | response = urllib.request.urlopen(meta_url) | 85 | response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) |
81 | except urllib.error.URLError as e: | 86 | except urllib.error.URLError as e: |
82 | cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') | 87 | cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') |
83 | bb.warn("Failed to fetch CVE data (%s)" % e.reason) | 88 | bb.warn("Failed to fetch CVE data (%s)" % e.reason) |
@@ -104,7 +109,7 @@ python do_fetch() { | |||
104 | 109 | ||
105 | # Update db with current year json file | 110 | # Update db with current year json file |
106 | try: | 111 | try: |
107 | response = urllib.request.urlopen(json_url) | 112 | response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) |
108 | if response: | 113 | if response: |
109 | update_db(conn, gzip.decompress(response.read()).decode('utf-8')) | 114 | update_db(conn, gzip.decompress(response.read()).decode('utf-8')) |
110 | conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() | 115 | conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() |