High Availability monitor built upon LVS, VRRP and service pollers
CentOS Sources
2019-01-03 680b9c65999a7d600c34508019267ec996285a2f
import keepalived-1.3.5-8.el7_6
1 files added
1 files modified
67 ■■■■■ changed files
SOURCES/bz1652694-fix-buffer-overflow-http-status.patch 57 ●●●●● patch | view | raw | blame | history
SPECS/keepalived.spec 10 ●●●●● patch | view | raw | blame | history
SOURCES/bz1652694-fix-buffer-overflow-http-status.patch
New file
@@ -0,0 +1,57 @@
From f28015671a4b04785859d1b4b1327b367b6a10e9 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 24 Jul 2018 09:28:43 +0100
Subject: [PATCH] Fix buffer overflow in extract_status_code()
Issue #960 identified that the buffer allocated for copying the
HTTP status code could overflow if the http response was corrupted.
This commit changes the way the status code is read, avoids copying
data, and also ensures that the status code is three digits long,
is non-negative and occurs on the first line of the response.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
 lib/html.c | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/lib/html.c b/lib/html.c
index 5a3eaeac..69d3bd2d 100644
--- a/lib/html.c
+++ b/lib/html.c
@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size)
  */
 int extract_status_code(char *buffer, size_t size)
 {
-    char *buf_code;
-    char *begin;
     char *end = buffer + size;
-    size_t inc = 0;
-    int code;
-
-    /* Allocate the room */
-    buf_code = (char *)MALLOC(10);
+    unsigned long code;
     /* Status-Code extraction */
-    while (buffer < end && *buffer++ != ' ') ;
-    begin = buffer;
-    while (buffer < end && *buffer++ != ' ')
-        inc++;
-    strncat(buf_code, begin, inc);
-    code = atoi(buf_code);
-    FREE(buf_code);
+    while (buffer < end && *buffer != ' ' && *buffer != '\r')
+        buffer++;
+    buffer++;
+    if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
+        return 0;
+    code = strtoul(buffer, &end, 10);
+    if (buffer + 3 != end)
+        return 0;
     return code;
 }
--
2.19.1
SPECS/keepalived.spec
@@ -9,7 +9,7 @@
Name: keepalived
Summary: Load balancer and high availability service
Version: 1.3.5
Release: 6%{?dist}
Release: 8%{?dist}
License: GPLv2+
URL: http://www.keepalived.org/
Group: System Environment/Daemons
@@ -24,6 +24,7 @@
Patch4: bz1508435-no-segfault-ip_vs-load.patch
Patch5: bz1508435-remove-ipset-handling.patch
Patch6: bz1477587-exclude-mismatch-vips.patch
Patch7: bz1652694-fix-buffer-overflow-http-status.patch
Requires: ipset-libs
Requires(post): systemd
@@ -61,6 +62,7 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
%configure \
@@ -117,6 +119,12 @@
%{_mandir}/man8/keepalived.8*
%changelog
* Thu Dec 31 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-8
- Fixed patch that was incorrectly removed (#1652694)
* Mon Dec 10 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-7
- Fix buffer overflow when parsing HTTP status codes (#1652694)
* Wed Jan 31 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-6
- Add net-snmp as BuildRequires (#1536252)