Blame SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch

6899e0
From b41d69bedcdbb8fe0cd790d0bcccbb457d6170d3 Mon Sep 17 00:00:00 2001
64563b
From: Sergio Correia <scorreia@redhat.com>
64563b
Date: Wed, 26 Feb 2020 17:03:26 -0300
64563b
Subject: [PATCH] CVE-2019-15605 - HTTP request smuggling
64563b
64563b
Upstream: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
64563b
64563b
Support multi-coding Transfer-Encoding
64563b
64563b
`Transfer-Encoding` header might have multiple codings in it. Even
64563b
though llhttp cares only about `chunked`, it must check that `chunked`
64563b
is the last coding (if present).
64563b
64563b
ABNF from RFC 7230:
64563b
64563b
```
64563b
Transfer-Encoding = *( "," OWS ) transfer-coding *( OWS "," [ OWS
64563b
    transfer-coding ] )
64563b
transfer-coding = "chunked" / "compress" / "deflate" / "gzip" /
64563b
    transfer-extension
64563b
   transfer-extension = token *( OWS ";" OWS transfer-parameter )
64563b
   transfer-parameter = token BWS "=" BWS ( token / quoted-string )
64563b
```
64563b
64563b
However, if `chunked` is not last - llhttp must assume that the encoding
64563b
and size of the body is unknown (according to 3.3.3 of RFC 7230) and
64563b
read the response until EOF. For request - the error must be raised for
64563b
an unknown `Transfer-Encoding`.
64563b
64563b
Furthermore, 3.3.3 of RFC 7230 explicitly states that presence of both
64563b
`Transfer-Encoding` and `Content-Length` indicates the smuggling attack
64563b
and "ought to be handled as an error".
64563b
64563b
For the lenient mode:
64563b
64563b
* Unknown `Transfer-Encoding` in requests is not an error and request
64563b
  body is simply read until EOF (end of connection)
64563b
* Only `Transfer-Encoding: chunked` together with `Content-Length` would
64563b
  result an error (just like before the patch)
64563b
64563b
PR-URL: nodejs-private/http-parser-private#4
64563b
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
64563b
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
64563b
Reviewed-By: James M Snell <jasnell@gmail.com>
64563b
---
64563b
 http_parser.c | 110 ++++++++++++++++++++++++++++++++++++++++++++------
64563b
 http_parser.h |   8 ++--
64563b
 test.c        |  90 +++++++++++++++++++++++++++++++++++++++--
64563b
 3 files changed, 189 insertions(+), 19 deletions(-)
64563b
64563b
diff --git a/http_parser.c b/http_parser.c
64563b
index aef4437..cd120d8 100644
64563b
--- a/http_parser.c
64563b
+++ b/http_parser.c
64563b
@@ -176,6 +176,22 @@ static const char *method_strings[] =
64563b
 #undef XX
64563b
   };
64563b
 
64563b
+/* Added for handling CVE-2019-15605. */
64563b
+static void reset_flags(http_parser* p)
64563b
+{
64563b
+    p->flags = 0;
64563b
+    p->transfer_encoding = 0;
64563b
+}
64563b
+
64563b
+static void set_transfer_encoding(http_parser* p)
64563b
+{
64563b
+    p->transfer_encoding = 1;
64563b
+}
64563b
+
64563b
+static int is_transfer_encoding(const http_parser* p)
64563b
+{
64563b
+    return p->transfer_encoding;
64563b
+}
64563b
 
64563b
 /* Tokens as defined by rfc 2616. Also lowercases them.
64563b
  *        token       = 1*<any CHAR except CTLs or separators>
64563b
@@ -378,6 +394,7 @@ enum header_states
64563b
   , h_upgrade
64563b
 
64563b
   , h_matching_transfer_encoding_chunked
64563b
+
64563b
   , h_matching_connection_token_start
64563b
   , h_matching_connection_keep_alive
64563b
   , h_matching_connection_close
64563b
@@ -388,6 +405,10 @@ enum header_states
64563b
   , h_connection_keep_alive
64563b
   , h_connection_close
64563b
   , h_connection_upgrade
64563b
+
64563b
+  /* CVE-2019-15605 */
64563b
+  , h_matching_transfer_encoding_token_start
64563b
+  , h_matching_transfer_encoding_token
64563b
   };
64563b
 
64563b
 enum http_host_state
64563b
@@ -722,7 +743,7 @@ reexecute:
64563b
       {
64563b
         if (ch == CR || ch == LF)
64563b
           break;
64563b
-        parser->flags = 0;
64563b
+        reset_flags(parser);
64563b
         parser->content_length = ULLONG_MAX;
64563b
 
64563b
         if (ch == 'H') {
64563b
@@ -757,7 +778,7 @@ reexecute:
64563b
 
64563b
       case s_start_res:
64563b
       {
64563b
-        parser->flags = 0;
64563b
+        reset_flags(parser);
64563b
         parser->content_length = ULLONG_MAX;
64563b
 
64563b
         switch (ch) {
64563b
@@ -921,7 +942,7 @@ reexecute:
64563b
       {
64563b
         if (ch == CR || ch == LF)
64563b
           break;
64563b
-        parser->flags = 0;
64563b
+        reset_flags(parser);
64563b
         parser->content_length = ULLONG_MAX;
64563b
 
64563b
         if (UNLIKELY(!IS_ALPHA(ch))) {
64563b
@@ -1313,6 +1334,7 @@ reexecute:
64563b
                 parser->header_state = h_general;
64563b
               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
64563b
                 parser->header_state = h_transfer_encoding;
64563b
+                set_transfer_encoding(parser);
64563b
               }
64563b
               break;
64563b
 
64563b
@@ -1393,10 +1415,14 @@ reexecute:
64563b
             if ('c' == c) {
64563b
               parser->header_state = h_matching_transfer_encoding_chunked;
64563b
             } else {
64563b
-              parser->header_state = h_general;
64563b
+              parser->header_state = h_matching_transfer_encoding_token;
64563b
             }
64563b
             break;
64563b
 
64563b
+          /* Multi-value `Transfer-Encoding` header */
64563b
+          case h_matching_transfer_encoding_token_start:
64563b
+            break;
64563b
+
64563b
           case h_content_length:
64563b
             if (UNLIKELY(!IS_NUM(ch))) {
64563b
               SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
64563b
@@ -1539,16 +1565,41 @@ reexecute:
64563b
               goto error;
64563b
 
64563b
             /* Transfer-Encoding: chunked */
64563b
+            case h_matching_transfer_encoding_token_start:
64563b
+              /* looking for 'Transfer-Encoding: chunked' */
64563b
+              if ('c' == c) {
64563b
+                h_state = h_matching_transfer_encoding_chunked;
64563b
+              } else if (STRICT_TOKEN(c)) {
64563b
+                /* TODO(indutny): similar code below does this, but why?
64563b
+                 * At the very least it seems to be inconsistent given that
64563b
+                 * h_matching_transfer_encoding_token does not check for
64563b
+                 * `STRICT_TOKEN`
64563b
+                 */
64563b
+                h_state = h_matching_transfer_encoding_token;
64563b
+              } else if (c == ' ' || c == '\t') {
64563b
+                /* Skip lws */
64563b
+              } else {
64563b
+                h_state = h_general;
64563b
+              }
64563b
+              break;
64563b
+
64563b
             case h_matching_transfer_encoding_chunked:
64563b
               parser->index++;
64563b
               if (parser->index > sizeof(CHUNKED)-1
64563b
                   || c != CHUNKED[parser->index]) {
64563b
-                h_state = h_general;
64563b
+                h_state = h_matching_transfer_encoding_token;
64563b
               } else if (parser->index == sizeof(CHUNKED)-2) {
64563b
                 h_state = h_transfer_encoding_chunked;
64563b
               }
64563b
               break;
64563b
 
64563b
+            case h_matching_transfer_encoding_token:
64563b
+              if (ch == ',') {
64563b
+                h_state = h_matching_transfer_encoding_token_start;
64563b
+                parser->index = 0;
64563b
+              }
64563b
+              break;
64563b
+
64563b
             case h_matching_connection_token_start:
64563b
               /* looking for 'Connection: keep-alive' */
64563b
               if (c == 'k') {
64563b
@@ -1607,7 +1658,7 @@ reexecute:
64563b
               break;
64563b
 
64563b
             case h_transfer_encoding_chunked:
64563b
-              if (ch != ' ') h_state = h_general;
64563b
+              if (ch != ' ') h_state = h_matching_transfer_encoding_token;
64563b
               break;
64563b
 
64563b
             case h_connection_keep_alive:
64563b
@@ -1732,12 +1783,17 @@ reexecute:
64563b
           REEXECUTE();
64563b
         }
64563b
 
64563b
-        /* Cannot use chunked encoding and a content-length header together
64563b
-           per the HTTP specification. */
64563b
-        if ((parser->flags & F_CHUNKED) &&
64563b
+        /* Cannot use transfer-encoding and a content-length header together
64563b
+           per the HTTP specification. (RFC 7230 Section 3.3.3) */
64563b
+         if ((is_transfer_encoding(parser)) &&
64563b
             (parser->flags & F_CONTENTLENGTH)) {
64563b
-          SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH);
64563b
-          goto error;
64563b
+          /* Allow it for lenient parsing as long as `Transfer-Encoding` is
64563b
+           * not `chunked`
64563b
+           */
64563b
+          if (!lenient || (parser->flags & F_CHUNKED)) {
64563b
+            SET_ERRNO(HPE_UNEXPECTED_CONTENT_LENGTH);
64563b
+            goto error;
64563b
+          }
64563b
         }
64563b
 
64563b
         UPDATE_STATE(s_headers_done);
64563b
@@ -1811,8 +1867,31 @@ reexecute:
64563b
           UPDATE_STATE(NEW_MESSAGE());
64563b
           CALLBACK_NOTIFY(message_complete);
64563b
         } else if (parser->flags & F_CHUNKED) {
64563b
-          /* chunked encoding - ignore Content-Length header */
64563b
+          /* chunked encoding - ignore Content-Length header,
64563b
+           * prepare for a chunk */
64563b
           UPDATE_STATE(s_chunk_size_start);
64563b
+        } else if (is_transfer_encoding(parser)) {
64563b
+          if (parser->type == HTTP_REQUEST && !lenient) {
64563b
+            /* RFC 7230 3.3.3 */
64563b
+
64563b
+            /* If a Transfer-Encoding header field
64563b
+             * is present in a request and the chunked transfer coding is not
64563b
+             * the final encoding, the message body length cannot be determined
64563b
+             * reliably; the server MUST respond with the 400 (Bad Request)
64563b
+             * status code and then close the connection.
64563b
+             */
64563b
+            SET_ERRNO(HPE_INVALID_TRANSFER_ENCODING);
64563b
+            RETURN(p - data); /* Error */
64563b
+          } else {
64563b
+            /* RFC 7230 3.3.3 */
64563b
+
64563b
+            /* If a Transfer-Encoding header field is present in a response and
64563b
+             * the chunked transfer coding is not the final encoding, the
64563b
+             * message body length is determined by reading the connection until
64563b
+             * it is closed by the server.
64563b
+             */
64563b
+            UPDATE_STATE(s_body_identity_eof);
64563b
+          }
64563b
         } else {
64563b
           if (parser->content_length == 0) {
64563b
             /* Content-Length header given but zero: Content-Length: 0\r\n */
64563b
@@ -2064,6 +2143,12 @@ http_message_needs_eof (const http_parser *parser)
64563b
     return 0;
64563b
   }
64563b
 
64563b
+  /* RFC 7230 3.3.3, see `s_headers_almost_done` */
64563b
+  if ((is_transfer_encoding(parser)) &&
64563b
+      (parser->flags & F_CHUNKED) == 0) {
64563b
+    return 1;
64563b
+  }
64563b
+
64563b
   if ((parser->flags & F_CHUNKED) || parser->content_length != ULLONG_MAX) {
64563b
     return 0;
64563b
   }
64563b
@@ -2107,6 +2192,7 @@ http_parser_init (http_parser *parser, enum http_parser_type t)
64563b
   parser->type = t;
64563b
   parser->state = (t == HTTP_REQUEST ? s_start_req : (t == HTTP_RESPONSE ? s_start_res : s_start_req_or_res));
64563b
   parser->http_errno = HPE_OK;
64563b
+  reset_flags(parser);
64563b
 }
64563b
 
64563b
 void
64563b
diff --git a/http_parser.h b/http_parser.h
64563b
index ea7bafe..a4841be 100644
64563b
--- a/http_parser.h
64563b
+++ b/http_parser.h
64563b
@@ -275,8 +275,9 @@ enum flags
64563b
   XX(INVALID_INTERNAL_STATE, "encountered unexpected internal state")\
64563b
   XX(STRICT, "strict mode assertion failed")                         \
64563b
   XX(PAUSED, "parser is paused")                                     \
64563b
-  XX(UNKNOWN, "an unknown error occurred")
64563b
-
64563b
+  XX(UNKNOWN, "an unknown error occurred") \
64563b
+  XX(INVALID_TRANSFER_ENCODING,                                      \
64563b
+     "request has invalid transfer-encoding")
64563b
 
64563b
 /* Define HPE_* values for each errno value above */
64563b
 #define HTTP_ERRNO_GEN(n, s) HPE_##n,
64563b
@@ -293,7 +294,7 @@ enum http_errno {
64563b
 struct http_parser {
64563b
   /** PRIVATE **/
64563b
   unsigned int type : 2;         /* enum http_parser_type */
64563b
-  unsigned int flags : 8;        /* F_* values from 'flags' enum; semi-public */
64563b
+  unsigned int flags : 8;       /* F_* values from 'flags' enum; semi-public */
64563b
   unsigned int state : 7;        /* enum state from http_parser.c */
64563b
   unsigned int header_state : 7; /* enum header_state from http_parser.c */
64563b
   unsigned int index : 7;        /* index into current matcher */
64563b
@@ -318,6 +319,7 @@ struct http_parser {
64563b
 
64563b
   /** PUBLIC **/
64563b
   void *data; /* A pointer to get hook to the "connection" or "socket" object */
64563b
+  unsigned int transfer_encoding : 8; /* CVE-2019-15605 */
64563b
 };
64563b
 
64563b
 
64563b
diff --git a/test.c b/test.c
64563b
index a1fa0d3..bb83d14 100644
64563b
--- a/test.c
64563b
+++ b/test.c
64563b
@@ -260,7 +260,6 @@ const struct message requests[] =
64563b
   ,.type= HTTP_REQUEST
64563b
   ,.raw= "POST /post_identity_body_world?q=search#hey HTTP/1.1\r\n"
64563b
          "Accept: */*\r\n"
64563b
-         "Transfer-Encoding: identity\r\n"
64563b
          "Content-Length: 5\r\n"
64563b
          "\r\n"
64563b
          "World"
64563b
@@ -273,10 +272,9 @@ const struct message requests[] =
64563b
   ,.fragment= "hey"
64563b
   ,.request_path= "/post_identity_body_world"
64563b
   ,.request_url= "/post_identity_body_world?q=search#hey"
64563b
-  ,.num_headers= 3
64563b
+  ,.num_headers= 2
64563b
   ,.headers=
64563b
     { { "Accept", "*/*" }
64563b
-    , { "Transfer-Encoding", "identity" }
64563b
     , { "Content-Length", "5" }
64563b
     }
64563b
   ,.body= "World"
64563b
@@ -1172,6 +1170,61 @@ const struct message requests[] =
64563b
   ,.body= ""
64563b
   }
64563b
 
64563b
+#define POST_MULTI_TE_LAST_CHUNKED 43
64563b
+, {.name= "post - multi coding transfer-encoding chunked body"
64563b
+  ,.type= HTTP_REQUEST
64563b
+  ,.raw= "POST / HTTP/1.1\r\n"
64563b
+         "Transfer-Encoding: deflate, chunked\r\n"
64563b
+         "\r\n"
64563b
+         "1e\r\nall your base are belong to us\r\n"
64563b
+         "0\r\n"
64563b
+         "\r\n"
64563b
+  ,.should_keep_alive= TRUE
64563b
+  ,.message_complete_on_eof= FALSE
64563b
+  ,.http_major= 1
64563b
+  ,.http_minor= 1
64563b
+  ,.method= HTTP_POST
64563b
+  ,.query_string= ""
64563b
+  ,.fragment= ""
64563b
+  ,.request_path= "/"
64563b
+  ,.request_url= "/"
64563b
+  ,.num_headers= 1
64563b
+  ,.headers=
64563b
+    { { "Transfer-Encoding" , "deflate, chunked" }
64563b
+    }
64563b
+  ,.body= "all your base are belong to us"
64563b
+  ,.num_chunks_complete= 2
64563b
+  ,.chunk_lengths= { 0x1e }
64563b
+  }
64563b
+
64563b
+#define POST_MULTI_LINE_TE_LAST_CHUNKED 43
64563b
+, {.name= "post - multi coding transfer-encoding chunked body"
64563b
+  ,.type= HTTP_REQUEST
64563b
+  ,.raw= "POST / HTTP/1.1\r\n"
64563b
+         "Transfer-Encoding: deflate,\r\n"
64563b
+         " chunked\r\n"
64563b
+         "\r\n"
64563b
+         "1e\r\nall your base are belong to us\r\n"
64563b
+         "0\r\n"
64563b
+         "\r\n"
64563b
+  ,.should_keep_alive= TRUE
64563b
+  ,.message_complete_on_eof= FALSE
64563b
+  ,.http_major= 1
64563b
+  ,.http_minor= 1
64563b
+  ,.method= HTTP_POST
64563b
+  ,.query_string= ""
64563b
+  ,.fragment= ""
64563b
+  ,.request_path= "/"
64563b
+  ,.request_url= "/"
64563b
+  ,.num_headers= 1
64563b
+  ,.headers=
64563b
+    { { "Transfer-Encoding" , "deflate, chunked" }
64563b
+    }
64563b
+  ,.body= "all your base are belong to us"
64563b
+  ,.num_chunks_complete= 2
64563b
+  ,.chunk_lengths= { 0x1e }
64563b
+  }
64563b
+
64563b
 , {.name= NULL } /* sentinel */
64563b
 };
64563b
 
64563b
@@ -1951,6 +2004,29 @@ const struct message responses[] =
64563b
   ,.chunk_lengths= { 2, 2 }
64563b
   }
64563b
 
64563b
+#define HTTP_200_MULTI_TE_NOT_LAST_CHUNKED 28
64563b
+, {.name= "HTTP 200 response with `chunked` being *not last* Transfer-Encoding"
64563b
+  ,.type= HTTP_RESPONSE
64563b
+  ,.raw= "HTTP/1.1 200 OK\r\n"
64563b
+         "Transfer-Encoding: chunked, identity\r\n"
64563b
+         "\r\n"
64563b
+         "2\r\n"
64563b
+         "OK\r\n"
64563b
+         "0\r\n"
64563b
+         "\r\n"
64563b
+  ,.should_keep_alive= FALSE
64563b
+  ,.message_complete_on_eof= TRUE
64563b
+  ,.http_major= 1
64563b
+  ,.http_minor= 1
64563b
+  ,.status_code= 200
64563b
+  ,.response_status= "OK"
64563b
+  ,.num_headers= 1
64563b
+  ,.headers= { { "Transfer-Encoding", "chunked, identity" }
64563b
+             }
64563b
+  ,.body= "2\r\nOK\r\n0\r\n\r\n"
64563b
+  ,.num_chunks_complete= 0
64563b
+  }
64563b
+
64563b
 , {.name= NULL } /* sentinel */
64563b
 };
64563b
 
64563b
@@ -3629,7 +3705,7 @@ test_chunked_content_length_error (int req)
64563b
   parsed = http_parser_execute(&parser, &settings_null, buf, strlen(buf));
64563b
   assert(parsed == strlen(buf));
64563b
 
64563b
-  buf = "Transfer-Encoding: chunked\r\nContent-Length: 1\r\n\r\n";
64563b
+  buf = "Transfer-Encoding: anything\r\nContent-Length: 1\r\n\r\n";
64563b
   size_t buflen = strlen(buf);
64563b
 
64563b
   parsed = http_parser_execute(&parser, &settings_null, buf, buflen);
64563b
@@ -4277,6 +4353,12 @@ main (void)
64563b
               "fooba",
64563b
               HPE_OK);
64563b
 
64563b
+  // Unknown Transfer-Encoding in request
64563b
+  test_simple("GET / HTTP/1.1\r\n"
64563b
+              "Transfer-Encoding: unknown\r\n"
64563b
+              "\r\n",
64563b
+              HPE_INVALID_TRANSFER_ENCODING);
64563b
+
64563b
   static const char *all_methods[] = {
64563b
     "DELETE",
64563b
     "GET",
64563b
-- 
64563b
2.18.2
64563b