diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch')
| -rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch new file mode 100644 index 0000000000..a93fa31dcd --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch | |||
| @@ -0,0 +1,156 @@ | |||
| 1 | From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roland Shoemaker <bracewell@google.com> | ||
| 3 | Date: Mon, 6 Feb 2023 10:03:44 -0800 | ||
| 4 | Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 | ||
| 5 | |||
| 6 | Disable cmd/internal/moddeps test, since this update includes PRIVATE | ||
| 7 | track fixes. | ||
| 8 | |||
| 9 | Fixes CVE-2022-41723 | ||
| 10 | Fixes #58355 | ||
| 11 | Updates #57855 | ||
| 12 | |||
| 13 | Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c | ||
| 14 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 | ||
| 15 | Reviewed-by: Damien Neil <dneil@google.com> | ||
| 16 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
| 17 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
| 18 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
| 19 | Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 | ||
| 20 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
| 21 | Run-TryBot: Michael Pratt <mpratt@google.com> | ||
| 22 | Auto-Submit: Michael Pratt <mpratt@google.com> | ||
| 23 | Reviewed-by: Than McIntosh <thanm@google.com> | ||
| 24 | |||
| 25 | Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3] | ||
| 26 | CVE: CVE-2022-41723 | ||
| 27 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
| 28 | --- | ||
| 29 | src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++--------- | ||
| 30 | 1 file changed, 49 insertions(+), 30 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go | ||
| 33 | index 85f18a2..02e80e3 100644 | ||
| 34 | --- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go | ||
| 35 | +++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go | ||
| 36 | @@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { | ||
| 37 | |||
| 38 | var hf HeaderField | ||
| 39 | wantStr := d.emitEnabled || it.indexed() | ||
| 40 | + var undecodedName undecodedString | ||
| 41 | if nameIdx > 0 { | ||
| 42 | ihf, ok := d.at(nameIdx) | ||
| 43 | if !ok { | ||
| 44 | @@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { | ||
| 45 | } | ||
| 46 | hf.Name = ihf.Name | ||
| 47 | } else { | ||
| 48 | - hf.Name, buf, err = d.readString(buf, wantStr) | ||
| 49 | + undecodedName, buf, err = d.readString(buf) | ||
| 50 | if err != nil { | ||
| 51 | return err | ||
| 52 | } | ||
| 53 | } | ||
| 54 | - hf.Value, buf, err = d.readString(buf, wantStr) | ||
| 55 | + undecodedValue, buf, err := d.readString(buf) | ||
| 56 | if err != nil { | ||
| 57 | return err | ||
| 58 | } | ||
| 59 | + if wantStr { | ||
| 60 | + if nameIdx <= 0 { | ||
| 61 | + hf.Name, err = d.decodeString(undecodedName) | ||
| 62 | + if err != nil { | ||
| 63 | + return err | ||
| 64 | + } | ||
| 65 | + } | ||
| 66 | + hf.Value, err = d.decodeString(undecodedValue) | ||
| 67 | + if err != nil { | ||
| 68 | + return err | ||
| 69 | + } | ||
| 70 | + } | ||
| 71 | d.buf = buf | ||
| 72 | if it.indexed() { | ||
| 73 | d.dynTab.add(hf) | ||
| 74 | @@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { | ||
| 75 | return 0, origP, errNeedMore | ||
| 76 | } | ||
| 77 | |||
| 78 | -// readString decodes an hpack string from p. | ||
| 79 | +// readString reads an hpack string from p. | ||
| 80 | // | ||
| 81 | -// wantStr is whether s will be used. If false, decompression and | ||
| 82 | -// []byte->string garbage are skipped if s will be ignored | ||
| 83 | -// anyway. This does mean that huffman decoding errors for non-indexed | ||
| 84 | -// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server | ||
| 85 | -// is returning an error anyway, and because they're not indexed, the error | ||
| 86 | -// won't affect the decoding state. | ||
| 87 | -func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { | ||
| 88 | +// It returns a reference to the encoded string data to permit deferring decode costs | ||
| 89 | +// until after the caller verifies all data is present. | ||
| 90 | +func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { | ||
| 91 | if len(p) == 0 { | ||
| 92 | - return "", p, errNeedMore | ||
| 93 | + return u, p, errNeedMore | ||
| 94 | } | ||
| 95 | isHuff := p[0]&128 != 0 | ||
| 96 | strLen, p, err := readVarInt(7, p) | ||
| 97 | if err != nil { | ||
| 98 | - return "", p, err | ||
| 99 | + return u, p, err | ||
| 100 | } | ||
| 101 | if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { | ||
| 102 | - return "", nil, ErrStringLength | ||
| 103 | + // Returning an error here means Huffman decoding errors | ||
| 104 | + // for non-indexed strings past the maximum string length | ||
| 105 | + // are ignored, but the server is returning an error anyway | ||
| 106 | + // and because the string is not indexed the error will not | ||
| 107 | + // affect the decoding state. | ||
| 108 | + return u, nil, ErrStringLength | ||
| 109 | } | ||
| 110 | if uint64(len(p)) < strLen { | ||
| 111 | - return "", p, errNeedMore | ||
| 112 | - } | ||
| 113 | - if !isHuff { | ||
| 114 | - if wantStr { | ||
| 115 | - s = string(p[:strLen]) | ||
| 116 | - } | ||
| 117 | - return s, p[strLen:], nil | ||
| 118 | + return u, p, errNeedMore | ||
| 119 | } | ||
| 120 | + u.isHuff = isHuff | ||
| 121 | + u.b = p[:strLen] | ||
| 122 | + return u, p[strLen:], nil | ||
| 123 | +} | ||
| 124 | |||
| 125 | - if wantStr { | ||
| 126 | - buf := bufPool.Get().(*bytes.Buffer) | ||
| 127 | - buf.Reset() // don't trust others | ||
| 128 | - defer bufPool.Put(buf) | ||
| 129 | - if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { | ||
| 130 | - buf.Reset() | ||
| 131 | - return "", nil, err | ||
| 132 | - } | ||
| 133 | +type undecodedString struct { | ||
| 134 | + isHuff bool | ||
| 135 | + b []byte | ||
| 136 | +} | ||
| 137 | + | ||
| 138 | +func (d *Decoder) decodeString(u undecodedString) (string, error) { | ||
| 139 | + if !u.isHuff { | ||
| 140 | + return string(u.b), nil | ||
| 141 | + } | ||
| 142 | + buf := bufPool.Get().(*bytes.Buffer) | ||
| 143 | + buf.Reset() // don't trust others | ||
| 144 | + var s string | ||
| 145 | + err := huffmanDecode(buf, d.maxStrLen, u.b) | ||
| 146 | + if err == nil { | ||
| 147 | s = buf.String() | ||
| 148 | - buf.Reset() // be nice to GC | ||
| 149 | } | ||
| 150 | - return s, p[strLen:], nil | ||
| 151 | + buf.Reset() // be nice to GC | ||
| 152 | + bufPool.Put(buf) | ||
| 153 | + return s, err | ||
| 154 | } | ||
| 155 | -- | ||
| 156 | 2.7.4 | ||