NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/lua-http: fix CVE-2023-4540

Browse Source 
see https://nvd.nist.gov/vuln/detail/CVE-2023-4540
  & https://cert.pl/en/posts/2023/09/CVE-2023-4540

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Francois Perrad 2024-02-12 18:26:19 +01:00 committed by Thomas Petazzoni
parent ed804a9f0c
commit 431c021740
2 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch Normal file
View File

@ -0,0 +1,71 @@
From ddab2835c583d45dec62680ca8d3cbde55e0bae6 Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Tue, 22 Aug 2023 23:30:20 +1000
Subject: [PATCH] http/h1_stream: handle EOF when `body_read_type==length`
If a client closes the connection before sending the expected number of bytes
then return `EPIPE`.
This fixes a potential infinite draining loop when trying to trying to
`:shutdown()` a stream.
Upstream: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
http/h1_stream.lua | 2 ++
spec/h1_stream_spec.lua | 27 +++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/lua-http-0.4/http/h1_stream.lua b/lua-http-0.4/http/h1_stream.lua
index b2469a1..b0ca821 100644
--- a/lua-http-0.4/http/h1_stream.lua
+++ b/lua-http-0.4/http/h1_stream.lua
@@ -861,6 +861,8 @@ function stream_methods:read_next_chunk(timeout)
if chunk ~= nil then
self.body_read_left = length_n - #chunk
end_stream = (self.body_read_left == 0)
+ elseif err == nil then
+ return nil, ce.strerror(ce.EPIPE), ce.EPIPE
end
elseif length_n == 0 then
chunk = ""
diff --git a/lua-http-0.4/spec/h1_stream_spec.lua b/lua-http-0.4/spec/h1_stream_spec.lua
index f9cfea9..1303f94 100644
--- a/lua-http-0.4/spec/h1_stream_spec.lua
+++ b/lua-http-0.4/spec/h1_stream_spec.lua
@@ -295,6 +295,33 @@ describe("http1 stream", function()
server:close()
client:close()
end)
+ it("Doesn't hang when a content-length delimited stream is closed", function()
+ local server, client = new_pair(1.1)
+ local cq = cqueues.new()
+ cq:wrap(function()
+ local stream = client:new_stream()
+ local headers = new_headers()
+ headers:append(":method", "GET")
+ headers:append(":scheme", "http")
+ headers:append(":authority", "myauthority")
+ headers:append(":path", "/a")
+ assert(stream:write_headers(headers, true))
+ end)
+ cq:wrap(function()
+ local stream = server:get_next_incoming_stream()
+ assert(stream:get_headers())
+ local res_headers = new_headers()
+ res_headers:append(":status", "200")
+ res_headers:append("content-length", "100")
+ assert(stream:write_headers(res_headers, false))
+ assert(stream:write_chunk("foo", false))
+ assert(stream:shutdown())
+ end)
+ assert_loop(cq, TEST_TIMEOUT)
+ assert.truthy(cq:empty())
+ server:close()
+ client:close()
+ end)
it("allows pipelining", function()
local server, client = new_pair(1.1)
local cq = cqueues.new()
--
2.40.1

3
package/lua-http/lua-http.mk
View File

@ -13,4 +13,7 @@ LUA_HTTP_LICENSE_FILES = $(LUA_HTTP_SUBDIR)/LICENSE.md
LUA_HTTP_CPE_ID_VERSION = $(LUA_HTTP_VERSION_UPSTREAM)
LUA_HTTP_CPE_ID_VENDOR = daurnimator
# 0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
LUA_HTTP_IGNORE_CVES += CVE-2023-4540
$(eval $(luarocks-package))