diff --git a/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch b/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch new file mode 100644 index 0000000..c147780 --- /dev/null +++ b/SOURCES/bz1652694-fix-buffer-overflow-http-status.patch @@ -0,0 +1,57 @@ +From f28015671a4b04785859d1b4b1327b367b6a10e9 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Tue, 24 Jul 2018 09:28:43 +0100 +Subject: [PATCH] Fix buffer overflow in extract_status_code() + +Issue #960 identified that the buffer allocated for copying the +HTTP status code could overflow if the http response was corrupted. + +This commit changes the way the status code is read, avoids copying +data, and also ensures that the status code is three digits long, +is non-negative and occurs on the first line of the response. + +Signed-off-by: Quentin Armitage +--- + lib/html.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/lib/html.c b/lib/html.c +index 5a3eaeac..69d3bd2d 100644 +--- a/lib/html.c ++++ b/lib/html.c +@@ -58,23 +58,18 @@ size_t extract_content_length(char *buffer, size_t size) + */ + int extract_status_code(char *buffer, size_t size) + { +- char *buf_code; +- char *begin; + char *end = buffer + size; +- size_t inc = 0; +- int code; +- +- /* Allocate the room */ +- buf_code = (char *)MALLOC(10); ++ unsigned long code; + + /* Status-Code extraction */ +- while (buffer < end && *buffer++ != ' ') ; +- begin = buffer; +- while (buffer < end && *buffer++ != ' ') +- inc++; +- strncat(buf_code, begin, inc); +- code = atoi(buf_code); +- FREE(buf_code); ++ while (buffer < end && *buffer != ' ' && *buffer != '\r') ++ buffer++; ++ buffer++; ++ if (buffer + 3 >= end || *buffer == ' ' || buffer[3] != ' ') ++ return 0; ++ code = strtoul(buffer, &end, 10); ++ if (buffer + 3 != end) ++ return 0; + return code; + } + +-- +2.19.1 + diff --git a/SPECS/keepalived.spec b/SPECS/keepalived.spec index 4e0a046..83fd422 100644 --- a/SPECS/keepalived.spec +++ b/SPECS/keepalived.spec @@ -9,7 +9,7 @@ Name: keepalived Summary: Load balancer and high availability service Version: 1.3.5 -Release: 6%{?dist} +Release: 8%{?dist} License: GPLv2+ URL: http://www.keepalived.org/ Group: System Environment/Daemons @@ -24,6 +24,7 @@ Patch3: bz1508435-load-ip-tables-handling.patch Patch4: bz1508435-no-segfault-ip_vs-load.patch Patch5: bz1508435-remove-ipset-handling.patch Patch6: bz1477587-exclude-mismatch-vips.patch +Patch7: bz1652694-fix-buffer-overflow-http-status.patch Requires: ipset-libs Requires(post): systemd @@ -61,6 +62,7 @@ Keepalived also implements the Virtual Router Redundancy Protocol %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %build %configure \ @@ -117,6 +119,12 @@ Keepalived also implements the Virtual Router Redundancy Protocol %{_mandir}/man8/keepalived.8* %changelog +* Thu Dec 31 2018 Ryan O'Hara - 1.3.5-8 +- Fixed patch that was incorrectly removed (#1652694) + +* Mon Dec 10 2018 Ryan O'Hara - 1.3.5-7 +- Fix buffer overflow when parsing HTTP status codes (#1652694) + * Wed Jan 31 2018 Ryan O'Hara - 1.3.5-6 - Add net-snmp as BuildRequires (#1536252)