ngompa / rpms / haproxy

Forked from rpms/haproxy 4 years ago
Clone
Source Code
GIT

Blame SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta
  1.   13aca534f335190ac5cce70aa6e51b6665ac9e52
  2.   SOURCES
  3.   bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
Blob History Raw
febb1d 
From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001
febb1d 
From: Willy Tarreau <w@1wt.eu>
febb1d 
Date: Mon, 31 Dec 2018 07:41:24 +0100
febb1d 
Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used
febb1d 
MIME-Version: 1.0
febb1d 
Content-Type: text/plain; charset=latin1
febb1d 
Content-Transfer-Encoding: 8bit
febb1d
febb1d 
Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
febb1d 
when the PRIORITY flag is present. A check is missing to ensure the 5
febb1d 
extra bytes needed with this flag are actually part of the frame. As per
febb1d 
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
febb1d
febb1d 
Many thanks to Tim for responsibly reporting this issue with a working
febb1d 
config and reproducer. This issue was assigned CVE-2018-20615.
febb1d
febb1d 
This fix must be backported to 1.9 and 1.8.
febb1d 
---
febb1d 
 src/mux_h2.c | 5 +++++
febb1d 
 1 file changed, 5 insertions(+)
febb1d
febb1d 
diff --git a/src/mux_h2.c b/src/mux_h2.c
febb1d 
index 5803a84ff..a67bbb049 100644
febb1d 
--- a/src/mux_h2.c
febb1d 
+++ b/src/mux_h2.c
febb1d 
@@ -3297,6 +3297,11 @@ next_frame:
febb1d 
 			goto fail;
febb1d 
 		}
febb1d
febb1d 
+		if (flen < 5) {
febb1d 
+			h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
febb1d 
+			goto fail;
febb1d 
+		}
febb1d 
+
febb1d 
 		hdrs += 5; // stream dep = 4, weight = 1
febb1d 
 		flen -= 5;
febb1d 
 	}
febb1d 
--
febb1d 
2.20.1
febb1d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation