diff options
Diffstat (limited to 'meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch')
| -rw-r--r-- | meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch new file mode 100644 index 0000000000..1e56893c65 --- /dev/null +++ b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch | |||
| @@ -0,0 +1,108 @@ | |||
| 1 | From b9f24a2968fa62de4a6ecf070fa0389ce10e7729 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eduardo Silva <eduardo@chronosphere.io> | ||
| 3 | Date: Thu, 9 Apr 2026 12:11:57 -0600 | ||
| 4 | Subject: [PATCH] server: parser: harden boundary checks | ||
| 5 | |||
| 6 | Tighten parser and helper validation around explicit lengths and | ||
| 7 | buffer boundaries. | ||
| 8 | |||
| 9 | Require exact header literal matches, validate chunk length tokens, | ||
| 10 | and guard helper routines that previously trusted inconsistent | ||
| 11 | pointer or length state. | ||
| 12 | |||
| 13 | Verified by rebuilding with cmake --build build and replaying the | ||
| 14 | reported malformed request fixtures against build/bin/monkey. | ||
| 15 | |||
| 16 | Signed-off-by: Eduardo Silva <eduardo@chronosphere.io> | ||
| 17 | |||
| 18 | This patch is part of https://github.com/monkey/monkey/pull/434, | ||
| 19 | containing assorted CVE fixes. | ||
| 20 | |||
| 21 | Upstream-Status: Backport [https://github.com/monkey/monkey/commit/ffe0d0ed1b074ea6f3965c37bb754e9f19130a82] | ||
| 22 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 23 | --- | ||
| 24 | include/monkey/mk_http_parser.h | 6 +++++- | ||
| 25 | mk_server/mk_http_parser.c | 13 +++++++++++++ | ||
| 26 | mk_server/mk_mimetype.c | 7 ++++++- | ||
| 27 | mk_server/mk_user.c | 2 +- | ||
| 28 | 4 files changed, 25 insertions(+), 3 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/include/monkey/mk_http_parser.h b/include/monkey/mk_http_parser.h | ||
| 31 | index 9e3b365e..465ea0e4 100644 | ||
| 32 | --- a/include/monkey/mk_http_parser.h | ||
| 33 | +++ b/include/monkey/mk_http_parser.h | ||
| 34 | @@ -389,7 +389,11 @@ int mk_http_parser_chunked_decode_buf(struct mk_http_parser *p, | ||
| 35 | |||
| 36 | static inline int mk_http_parser_more(struct mk_http_parser *p, int len) | ||
| 37 | { | ||
| 38 | - if (abs(len - p->i) - 1 > 0) { | ||
| 39 | + if (len <= 0 || p->i < 0) { | ||
| 40 | + return MK_FALSE; | ||
| 41 | + } | ||
| 42 | + | ||
| 43 | + if ((p->i + 1) < len) { | ||
| 44 | return MK_TRUE; | ||
| 45 | } | ||
| 46 | |||
| 47 | diff --git a/mk_server/mk_http_parser.c b/mk_server/mk_http_parser.c | ||
| 48 | index 9413528a..3c831f29 100644 | ||
| 49 | --- a/mk_server/mk_http_parser.c | ||
| 50 | +++ b/mk_server/mk_http_parser.c | ||
| 51 | @@ -173,6 +173,16 @@ static inline void request_set(mk_ptr_t *ptr, struct mk_http_parser *p, char *bu | ||
| 52 | static inline int header_cmp(const char *expected, char *value, int len) | ||
| 53 | { | ||
| 54 | int i = 0; | ||
| 55 | + size_t expected_len; | ||
| 56 | + | ||
| 57 | + if (len < 0) { | ||
| 58 | + return -1; | ||
| 59 | + } | ||
| 60 | + | ||
| 61 | + expected_len = strlen(expected); | ||
| 62 | + if ((size_t) len != expected_len) { | ||
| 63 | + return -1; | ||
| 64 | + } | ||
| 65 | |||
| 66 | if (len >= 8) { | ||
| 67 | if (expected[0] != tolower(value[0])) return -1; | ||
| 68 | @@ -535,6 +545,9 @@ parse_more: | ||
| 69 | (errno != 0)) { | ||
| 70 | return MK_HTTP_PARSER_ERROR; | ||
| 71 | } | ||
| 72 | + if (ptr == tmp || *ptr != '\0') { | ||
| 73 | + return MK_HTTP_PARSER_ERROR; | ||
| 74 | + } | ||
| 75 | |||
| 76 | if (chunk_len < 0) { | ||
| 77 | return MK_HTTP_PARSER_ERROR; | ||
| 78 | diff --git a/mk_server/mk_mimetype.c b/mk_server/mk_mimetype.c | ||
| 79 | index b86b4ef1..5462ea5c 100644 | ||
| 80 | --- a/mk_server/mk_mimetype.c | ||
| 81 | +++ b/mk_server/mk_mimetype.c | ||
| 82 | @@ -197,7 +197,12 @@ struct mk_mimetype *mk_mimetype_find(struct mk_server *server, mk_ptr_t *filenam | ||
| 83 | { | ||
| 84 | int j, len; | ||
| 85 | |||
| 86 | - j = len = filename->len; | ||
| 87 | + if (!filename->data || filename->len <= 0) { | ||
| 88 | + return NULL; | ||
| 89 | + } | ||
| 90 | + | ||
| 91 | + len = filename->len; | ||
| 92 | + j = len - 1; | ||
| 93 | |||
| 94 | /* looking for extension */ | ||
| 95 | while (j >= 0 && filename->data[j] != '.') { | ||
| 96 | diff --git a/mk_server/mk_user.c b/mk_server/mk_user.c | ||
| 97 | index 7200ff08..716331ac 100644 | ||
| 98 | --- a/mk_server/mk_user.c | ||
| 99 | +++ b/mk_server/mk_user.c | ||
| 100 | @@ -46,7 +46,7 @@ int mk_user_init(struct mk_http_session *cs, struct mk_http_request *sr, | ||
| 101 | } | ||
| 102 | |||
| 103 | limit = mk_string_char_search(sr->uri_processed.data + offset, '/', | ||
| 104 | - sr->uri_processed.len); | ||
| 105 | + sr->uri_processed.len - offset); | ||
| 106 | |||
| 107 | if (limit == -1) { | ||
| 108 | limit = (sr->uri_processed.len) - offset; | ||
