diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch new file mode 100644 index 0000000000..767225b888 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Russ Cox <rsc@golang.org> | ||
3 | Date: Thu, 3 Dec 2020 09:45:07 -0500 | ||
4 | Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better | ||
5 | |||
6 | Returning an error about integer overflow is needlessly pedantic. | ||
7 | The meaning of ReadForm(MaxInt64) is easily understood | ||
8 | (accept a lot of data) and can be implemented. | ||
9 | |||
10 | Fixes #40430. | ||
11 | |||
12 | Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9 | ||
13 | Reviewed-on: https://go-review.googlesource.com/c/go/+/275112 | ||
14 | Trust: Russ Cox <rsc@golang.org> | ||
15 | Run-TryBot: Russ Cox <rsc@golang.org> | ||
16 | TryBot-Result: Go Bot <gobot@golang.org> | ||
17 | Reviewed-by: Ian Lance Taylor <iant@golang.org> | ||
18 | |||
19 | Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43] | ||
20 | CVE: CVE-2022-41725 #Dependency Patch3 | ||
21 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
22 | --- | ||
23 | src/mime/multipart/formdata.go | 8 ++++++-- | ||
24 | src/mime/multipart/formdata_test.go | 14 +++++--------- | ||
25 | src/net/http/request_test.go | 2 +- | ||
26 | 3 files changed, 12 insertions(+), 12 deletions(-) | ||
27 | |||
28 | diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go | ||
29 | index 4eb31012941ac..9c42ea8c023b5 100644 | ||
30 | --- a/src/mime/multipart/formdata.go | ||
31 | +++ b/src/mime/multipart/formdata.go | ||
32 | @@ -7,9 +7,9 @@ package multipart | ||
33 | import ( | ||
34 | "bytes" | ||
35 | "errors" | ||
36 | - "fmt" | ||
37 | "io" | ||
38 | "io/ioutil" | ||
39 | + "math" | ||
40 | "net/textproto" | ||
41 | "os" | ||
42 | ) | ||
43 | @@ -43,7 +43,11 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { | ||
44 | // Reserve an additional 10 MB for non-file parts. | ||
45 | maxValueBytes := maxMemory + int64(10<<20) | ||
46 | if maxValueBytes <= 0 { | ||
47 | - return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory) | ||
48 | + if maxMemory < 0 { | ||
49 | + maxValueBytes = 0 | ||
50 | + } else { | ||
51 | + maxValueBytes = math.MaxInt64 | ||
52 | + } | ||
53 | } | ||
54 | for { | ||
55 | p, err := r.NextPart() | ||
56 | diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go | ||
57 | index 7112e0d3727fe..e3a3a3eae8e15 100644 | ||
58 | --- a/src/mime/multipart/formdata_test.go | ||
59 | +++ b/src/mime/multipart/formdata_test.go | ||
60 | @@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) { | ||
61 | } | ||
62 | } | ||
63 | |||
64 | -// Issue 40430: Ensure that we report integer overflows in additions of maxMemory, | ||
65 | -// instead of silently and subtly failing without indication. | ||
66 | +// Issue 40430: Handle ReadForm(math.MaxInt64) | ||
67 | func TestReadFormMaxMemoryOverflow(t *testing.T) { | ||
68 | b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n")) | ||
69 | r := NewReader(b, boundary) | ||
70 | f, err := r.ReadForm(math.MaxInt64) | ||
71 | - if err == nil { | ||
72 | - t.Fatal("Unexpected a non-nil error") | ||
73 | - } | ||
74 | - if f != nil { | ||
75 | - t.Fatalf("Unexpected returned a non-nil form: %v\n", f) | ||
76 | + if err != nil { | ||
77 | + t.Fatalf("ReadForm(MaxInt64): %v", err) | ||
78 | } | ||
79 | - if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) { | ||
80 | - t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w) | ||
81 | + if f == nil { | ||
82 | + t.Fatal("ReadForm(MaxInt64): missing form") | ||
83 | } | ||
84 | } | ||
85 | |||
86 | diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go | ||
87 | index 19526b9ad791a..689498e19d5dd 100644 | ||
88 | --- a/src/net/http/request_test.go | ||
89 | +++ b/src/net/http/request_test.go | ||
90 | @@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) { | ||
91 | t.Fatal(err) | ||
92 | } | ||
93 | res.Body.Close() | ||
94 | - if g, w := res.StatusCode, StatusBadRequest; g != w { | ||
95 | + if g, w := res.StatusCode, StatusOK; g != w { | ||
96 | t.Fatalf("Status code mismatch: got %d, want %d", g, w) | ||
97 | } | ||
98 | } | ||