From 779d6294a5951849bb1be69d9d35e2f85a9c6860 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 03 2019 20:49:58 +0000
Subject: import keepalived-1.3.5-8.el7_6


---

diff --git a/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch b/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch
new file mode 100644
index 0000000..c147780
--- /dev/null
+++ b/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch
@@ -0,0 +1,57 @@
+From f28015671a4b04785859d1b4b1327b367b6a10e9 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Tue, 24 Jul 2018 09:28:43 +0100
+Subject: [PATCH] Fix buffer overflow in extract_status_code()
+
+Issue #960 identified that the buffer allocated for copying the
+HTTP status code could overflow if the http response was corrupted.
+
+This commit changes the way the status code is read, avoids copying
+data, and also ensures that the status code is three digits long,
+is non-negative and occurs on the first line of the response.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/html.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/lib/html.c b/lib/html.c
+index 5a3eaeac..69d3bd2d 100644
+--- a/lib/html.c
++++ b/lib/html.c
+@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size)
+  */
+ int extract_status_code(char *buffer, size_t size)
+ {
+-	char *buf_code;
+-	char *begin;
+ 	char *end = buffer + size;
+-	size_t inc = 0;
+-	int code;
+-
+-	/* Allocate the room */
+-	buf_code = (char *)MALLOC(10);
++	unsigned long code;
+ 
+ 	/* Status-Code extraction */
+-	while (buffer < end && *buffer++ != ' ') ;
+-	begin = buffer;
+-	while (buffer < end && *buffer++ != ' ')
+-		inc++;
+-	strncat(buf_code, begin, inc);
+-	code = atoi(buf_code);
+-	FREE(buf_code);
++	while (buffer < end && *buffer != ' ' && *buffer != '\r')
++		buffer++;
++	buffer++;
++	if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ')
++		return 0;
++	code = strtoul(buffer, &end, 10);
++	if (buffer + 3 != end)
++		return 0;
+ 	return code;
+ }
+ 
+-- 
+2.19.1
+
diff --git a/SPECS/keepalived.spec b/SPECS/keepalived.spec
index 4e0a046..83fd422 100644
--- a/SPECS/keepalived.spec
+++ b/SPECS/keepalived.spec
@@ -9,7 +9,7 @@
 Name: keepalived
 Summary: Load balancer and high availability service
 Version: 1.3.5
-Release: 6%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 URL: http://www.keepalived.org/
 Group: System Environment/Daemons
@@ -24,6 +24,7 @@ Patch3: bz1508435-load-ip-tables-handling.patch
 Patch4: bz1508435-no-segfault-ip_vs-load.patch
 Patch5: bz1508435-remove-ipset-handling.patch
 Patch6: bz1477587-exclude-mismatch-vips.patch
+Patch7: bz1652694-fix-buffer-overflow-http-status.patch
 
 Requires: ipset-libs
 Requires(post): systemd
@@ -61,6 +62,7 @@ Keepalived also implements the Virtual Router Redundancy Protocol
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %build
 %configure \
@@ -117,6 +119,12 @@ Keepalived also implements the Virtual Router Redundancy Protocol
 %{_mandir}/man8/keepalived.8*
 
 %changelog
+* Thu Dec 31 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-8
+- Fixed patch that was incorrectly removed (#1652694)
+
+* Mon Dec 10 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-7
+- Fix buffer overflow when parsing HTTP status codes (#1652694)
+
 * Wed Jan 31 2018 Ryan O'Hara <rohara@redhat.com> - 1.3.5-6
 - Add net-snmp as BuildRequires (#1536252)