TCP/HTTP proxy and load balancer for high availability environments
CentOS Sources
2019-02-05 e85275f8cb6f60b7eed232f77731dd7891f9068c
import rh-haproxy18-haproxy-1.8.4-4.el7
1 files added
1 files modified
55 ■■■■■ changed files
SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch 46 ●●●●● patch | view | raw | blame | history
SPECS/haproxy.spec 9 ●●●● patch | view | raw | blame | history
SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch
New file
@@ -0,0 +1,46 @@
From 9c2cb57513ac8cc826e9b849fb506587309e12b1 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 31 Dec 2018 07:41:24 +0100
Subject: [PATCH] BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY
 is used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
when the PRIORITY flag is present. A check is missing to ensure the 5
extra bytes needed with this flag are actually part of the frame. As per
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
Many thanks to Tim for responsibly reporting this issue with a working
config and reproducer. This issue was assigned CVE-2018-20615.
This fix must be backported to 1.9 and 1.8.
(cherry picked from commit a01f45e3ced23c799f6e78b5efdbd32198a75354)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit ce376ea771ad5484cf0c7559c59e7ea807733df6)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 src/mux_h2.c | 5 +++++
 1 file changed, 5 insertions(+)
diff --git a/src/mux_h2.c b/src/mux_h2.c
index 7bb51ea4..8fe56233 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2643,6 +2643,11 @@ static int h2_frt_decode_headers(struct h2s *h2s, struct buffer *buf, int count)
             return 0;//goto fail_stream;
         }
+        if (flen < 5) {
+            h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
+            goto fail;
+        }
+
         hdrs += 5; // stream dep = 4, weight = 1
         flen -= 5;
     }
--
2.19.1
SPECS/haproxy.spec
@@ -17,7 +17,7 @@
Name:           %{?scl_prefix}haproxy
Version:        1.8.4
Release:        3%{?dist}
Release:        4%{?dist}
Summary:        TCP/HTTP proxy and load balancer for high availability environments
Group:          System Environment/Daemons
@@ -33,6 +33,7 @@
Patch1: 0001-BUG-CRITICAL-h2-fix-incorrect-frame-length-check.patch
Patch2: 0002-BUG-CRITICAL-hpack-fix-improper-sign-check-header-index.patch
Patch3: 0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch
BuildRequires:  pcre-devel
BuildRequires:  zlib-devel
@@ -72,6 +73,7 @@
%setup -q -n %{pkg_name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
regparm_opts=
@@ -203,8 +205,11 @@
%endif
%changelog
* Mon Jan 14 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.4-4
- Fix handling of priority flag in HTTP2 decoder (#1663083)
* Wed Sep 19 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-3
- Fix improper sign check on the header index value (#1630502)
- Fix improper sign check on the header index value (#1630503)
* Tue May 01 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-2
- Fix incorrect HTTP/2 frame length check (#1569808)