From 431c02174078e359b6379b8021e6aeb06b2dbb9d Mon Sep 17 00:00:00 2001 From: Francois Perrad Date: Mon, 12 Feb 2024 18:26:19 +0100 Subject: [PATCH] package/lua-http: fix CVE-2023-4540 see https://nvd.nist.gov/vuln/detail/CVE-2023-4540 & https://cert.pl/en/posts/2023/09/CVE-2023-4540 Signed-off-by: Francois Perrad Signed-off-by: Thomas Petazzoni --- ...andle-EOF-when-body_read_type-length.patch | 71 +++++++++++++++++++ package/lua-http/lua-http.mk | 3 + 2 files changed, 74 insertions(+) create mode 100644 package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch diff --git a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch new file mode 100644 index 0000000000..fdbf5243f5 --- /dev/null +++ b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch @@ -0,0 +1,71 @@ +From ddab2835c583d45dec62680ca8d3cbde55e0bae6 Mon Sep 17 00:00:00 2001 +From: daurnimator +Date: Tue, 22 Aug 2023 23:30:20 +1000 +Subject: [PATCH] http/h1_stream: handle EOF when `body_read_type==length` + +If a client closes the connection before sending the expected number of bytes +then return `EPIPE`. +This fixes a potential infinite draining loop when trying to trying to +`:shutdown()` a stream. + +Upstream: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6 +Signed-off-by: Francois Perrad +--- + http/h1_stream.lua | 2 ++ + spec/h1_stream_spec.lua | 27 +++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/lua-http-0.4/http/h1_stream.lua b/lua-http-0.4/http/h1_stream.lua +index b2469a1..b0ca821 100644 +--- a/lua-http-0.4/http/h1_stream.lua ++++ b/lua-http-0.4/http/h1_stream.lua +@@ -861,6 +861,8 @@ function stream_methods:read_next_chunk(timeout) + if chunk ~= nil then + self.body_read_left = length_n - #chunk + end_stream = (self.body_read_left == 0) ++ elseif err == nil then ++ return nil, ce.strerror(ce.EPIPE), ce.EPIPE + end + elseif length_n == 0 then + chunk = "" +diff --git a/lua-http-0.4/spec/h1_stream_spec.lua b/lua-http-0.4/spec/h1_stream_spec.lua +index f9cfea9..1303f94 100644 +--- a/lua-http-0.4/spec/h1_stream_spec.lua ++++ b/lua-http-0.4/spec/h1_stream_spec.lua +@@ -295,6 +295,33 @@ describe("http1 stream", function() + server:close() + client:close() + end) ++ it("Doesn't hang when a content-length delimited stream is closed", function() ++ local server, client = new_pair(1.1) ++ local cq = cqueues.new() ++ cq:wrap(function() ++ local stream = client:new_stream() ++ local headers = new_headers() ++ headers:append(":method", "GET") ++ headers:append(":scheme", "http") ++ headers:append(":authority", "myauthority") ++ headers:append(":path", "/a") ++ assert(stream:write_headers(headers, true)) ++ end) ++ cq:wrap(function() ++ local stream = server:get_next_incoming_stream() ++ assert(stream:get_headers()) ++ local res_headers = new_headers() ++ res_headers:append(":status", "200") ++ res_headers:append("content-length", "100") ++ assert(stream:write_headers(res_headers, false)) ++ assert(stream:write_chunk("foo", false)) ++ assert(stream:shutdown()) ++ end) ++ assert_loop(cq, TEST_TIMEOUT) ++ assert.truthy(cq:empty()) ++ server:close() ++ client:close() ++ end) + it("allows pipelining", function() + local server, client = new_pair(1.1) + local cq = cqueues.new() +-- +2.40.1 + diff --git a/package/lua-http/lua-http.mk b/package/lua-http/lua-http.mk index df3e2c0059..34387c12e5 100644 --- a/package/lua-http/lua-http.mk +++ b/package/lua-http/lua-http.mk @@ -13,4 +13,7 @@ LUA_HTTP_LICENSE_FILES = $(LUA_HTTP_SUBDIR)/LICENSE.md LUA_HTTP_CPE_ID_VERSION = $(LUA_HTTP_VERSION_UPSTREAM) LUA_HTTP_CPE_ID_VENDOR = daurnimator +# 0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch +LUA_HTTP_IGNORE_CVES += CVE-2023-4540 + $(eval $(luarocks-package))