Blame SOURCES/CVE-2018-12121.patch

541da7
From 05da7fb51cda374ae351829f67018924f931f18b Mon Sep 17 00:00:00 2001
541da7
From: Sergio Correia <scorreia@redhat.com>
541da7
Date: Tue, 18 Feb 2020 09:10:18 -0300
541da7
Subject: [PATCH] CVE-2018-12121
541da7
541da7
---
541da7
 http_parser.c | 15 +++++++++++----
541da7
 http_parser.h |  3 +++
541da7
 2 files changed, 14 insertions(+), 4 deletions(-)
541da7
7c9158
diff --git a/http_parser.c b/http_parser.c
7c9158
index f9991c3..aef4437 100644
7c9158
--- a/http_parser.c
7c9158
+++ b/http_parser.c
7c9158
@@ -25,6 +25,8 @@
7c9158
 #include <string.h>
7c9158
 #include <limits.h>
7c9158
 
7c9158
+static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE;
7c9158
+
7c9158
 #ifndef ULLONG_MAX
7c9158
 # define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */
7c9158
 #endif
7c9158
@@ -137,20 +139,20 @@ do {                                                                 \
7c9158
 } while (0)
7c9158
 
7c9158
 /* Don't allow the total size of the HTTP headers (including the status
7c9158
- * line) to exceed HTTP_MAX_HEADER_SIZE.  This check is here to protect
7c9158
+ * line) to exceed max_header_size.  This check is here to protect
7c9158
  * embedders against denial-of-service attacks where the attacker feeds
7c9158
  * us a never-ending header that the embedder keeps buffering.
7c9158
  *
7c9158
  * This check is arguably the responsibility of embedders but we're doing
7c9158
  * it on the embedder's behalf because most won't bother and this way we
7c9158
- * make the web a little safer.  HTTP_MAX_HEADER_SIZE is still far bigger
7c9158
+ * make the web a little safer.  max_header_size is still far bigger
7c9158
  * than any reasonable request or response so this should never affect
7c9158
  * day-to-day operation.
7c9158
  */
7c9158
 #define COUNT_HEADER_SIZE(V)                                         \
7c9158
 do {                                                                 \
7c9158
   parser->nread += (V);                                              \
7c9158
-  if (UNLIKELY(parser->nread > (HTTP_MAX_HEADER_SIZE))) {            \
7c9158
+  if (UNLIKELY(parser->nread > (max_header_size))) {                 \
7c9158
     SET_ERRNO(HPE_HEADER_OVERFLOW);                                  \
7c9158
     goto error;                                                      \
7c9158
   }                                                                  \
7c9158
@@ -1471,7 +1473,7 @@ reexecute:
7c9158
               const char* p_lf;
7c9158
               size_t limit = data + len - p;
7c9158
 
7c9158
-              limit = MIN(limit, HTTP_MAX_HEADER_SIZE);
7c9158
+              limit = MIN(limit, max_header_size);
7c9158
 
7c9158
               p_cr = (const char*) memchr(p, CR, limit);
7c9158
               p_lf = (const char*) memchr(p, LF, limit);
7c9158
@@ -2438,3 +2440,8 @@ http_parser_version(void) {
7c9158
          HTTP_PARSER_VERSION_MINOR * 0x00100 |
7c9158
          HTTP_PARSER_VERSION_PATCH * 0x00001;
7c9158
 }
7c9158
+
7c9158
+void
7c9158
+http_parser_set_max_header_size(uint32_t size) {
7c9158
+  max_header_size = size;
7c9158
+}
7c9158
diff --git a/http_parser.h b/http_parser.h
7c9158
index 1fbf30e..ea7bafe 100644
7c9158
--- a/http_parser.h
7c9158
+++ b/http_parser.h
7c9158
@@ -427,6 +427,9 @@ void http_parser_pause(http_parser *parser, int paused);
7c9158
 /* Checks if this is the final chunk of the body. */
7c9158
 int http_body_is_final(const http_parser *parser);
7c9158
 
7c9158
+/* Change the maximum header size provided at compile time. */
7c9158
+void http_parser_set_max_header_size(uint32_t size);
7c9158
+
7c9158
 #ifdef __cplusplus
7c9158
 }
7c9158
 #endif
541da7
-- 
541da7
2.18.2
541da7