summaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch')
-rw-r--r--meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch108
1 files changed, 108 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch
new file mode 100644
index 0000000000..1e56893c65
--- /dev/null
+++ b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch
@@ -0,0 +1,108 @@
1From b9f24a2968fa62de4a6ecf070fa0389ce10e7729 Mon Sep 17 00:00:00 2001
2From: Eduardo Silva <eduardo@chronosphere.io>
3Date: Thu, 9 Apr 2026 12:11:57 -0600
4Subject: [PATCH] server: parser: harden boundary checks
5
6Tighten parser and helper validation around explicit lengths and
7buffer boundaries.
8
9Require exact header literal matches, validate chunk length tokens,
10and guard helper routines that previously trusted inconsistent
11pointer or length state.
12
13Verified by rebuilding with cmake --build build and replaying the
14reported malformed request fixtures against build/bin/monkey.
15
16Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
17
18This patch is part of https://github.com/monkey/monkey/pull/434,
19containing assorted CVE fixes.
20
21Upstream-Status: Backport [https://github.com/monkey/monkey/commit/ffe0d0ed1b074ea6f3965c37bb754e9f19130a82]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 include/monkey/mk_http_parser.h | 6 +++++-
25 mk_server/mk_http_parser.c | 13 +++++++++++++
26 mk_server/mk_mimetype.c | 7 ++++++-
27 mk_server/mk_user.c | 2 +-
28 4 files changed, 25 insertions(+), 3 deletions(-)
29
30diff --git a/include/monkey/mk_http_parser.h b/include/monkey/mk_http_parser.h
31index 9e3b365e..465ea0e4 100644
32--- a/include/monkey/mk_http_parser.h
33+++ b/include/monkey/mk_http_parser.h
34@@ -389,7 +389,11 @@ int mk_http_parser_chunked_decode_buf(struct mk_http_parser *p,
35
36 static inline int mk_http_parser_more(struct mk_http_parser *p, int len)
37 {
38- if (abs(len - p->i) - 1 > 0) {
39+ if (len <= 0 || p->i < 0) {
40+ return MK_FALSE;
41+ }
42+
43+ if ((p->i + 1) < len) {
44 return MK_TRUE;
45 }
46
47diff --git a/mk_server/mk_http_parser.c b/mk_server/mk_http_parser.c
48index 9413528a..3c831f29 100644
49--- a/mk_server/mk_http_parser.c
50+++ b/mk_server/mk_http_parser.c
51@@ -173,6 +173,16 @@ static inline void request_set(mk_ptr_t *ptr, struct mk_http_parser *p, char *bu
52 static inline int header_cmp(const char *expected, char *value, int len)
53 {
54 int i = 0;
55+ size_t expected_len;
56+
57+ if (len < 0) {
58+ return -1;
59+ }
60+
61+ expected_len = strlen(expected);
62+ if ((size_t) len != expected_len) {
63+ return -1;
64+ }
65
66 if (len >= 8) {
67 if (expected[0] != tolower(value[0])) return -1;
68@@ -535,6 +545,9 @@ parse_more:
69 (errno != 0)) {
70 return MK_HTTP_PARSER_ERROR;
71 }
72+ if (ptr == tmp || *ptr != '\0') {
73+ return MK_HTTP_PARSER_ERROR;
74+ }
75
76 if (chunk_len < 0) {
77 return MK_HTTP_PARSER_ERROR;
78diff --git a/mk_server/mk_mimetype.c b/mk_server/mk_mimetype.c
79index b86b4ef1..5462ea5c 100644
80--- a/mk_server/mk_mimetype.c
81+++ b/mk_server/mk_mimetype.c
82@@ -197,7 +197,12 @@ struct mk_mimetype *mk_mimetype_find(struct mk_server *server, mk_ptr_t *filenam
83 {
84 int j, len;
85
86- j = len = filename->len;
87+ if (!filename->data || filename->len <= 0) {
88+ return NULL;
89+ }
90+
91+ len = filename->len;
92+ j = len - 1;
93
94 /* looking for extension */
95 while (j >= 0 && filename->data[j] != '.') {
96diff --git a/mk_server/mk_user.c b/mk_server/mk_user.c
97index 7200ff08..716331ac 100644
98--- a/mk_server/mk_user.c
99+++ b/mk_server/mk_user.c
100@@ -46,7 +46,7 @@ int mk_user_init(struct mk_http_session *cs, struct mk_http_request *sr,
101 }
102
103 limit = mk_string_char_search(sr->uri_processed.data + offset, '/',
104- sr->uri_processed.len);
105+ sr->uri_processed.len - offset);
106
107 if (limit == -1) {
108 limit = (sr->uri_processed.len) - offset;