!67 [sync] PR-65: Fix CVE-2023-25950

From: @openeuler-sync-bot 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

CVE-2023-25950.patch

@@ -0,0 +1,75 @@
+From 22b44d5f2c7ce1ed0e4b62c639991d5abbd42a50 Mon Sep 17 00:00:00 2001
+From: Amaury Denoyelle <adenoyelle@haproxy.com>
+Date: Wed, 7 Dec 2022 14:31:42 +0100
+Subject: [PATCH] BUG/MEDIUM: h3: reject request with invalid header name
+
+Reject request containing invalid header name. This concerns every
+header containing uppercase letter or a non HTTP token such as a space.
+
+For the moment, this kind of errors triggers a connection close. In the
+future, it should be handled only with a stream reset. To reduce
+backport surface, this will be implemented in another commit.
+
+Thanks to Yuki Mogi from FFRI Security, Inc. for having reported this.
+
+This must be backported up to 2.6.
+
+(cherry picked from commit d6fb7a0e0f3a79afa1f4b6fc7b62053c3955dc4a)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 3ca4223c5e1f18a19dc93b0b09ffdbd295554d46)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+---
+ src/h3.c |   30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/src/h3.c b/src/h3.c
+index 97e821e..5f1c68a 100644
+--- a/src/h3.c
++++ b/src/h3.c
+@@ -352,7 +352,27 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 	//struct ist scheme = IST_NULL, authority = IST_NULL;
+ 	struct ist authority = IST_NULL;
+ 	int hdr_idx, ret;
+-	int cookie = -1, last_cookie = -1;
++	int cookie = -1, last_cookie = -1, i;
++
++	/* RFC 9114 4.1.2. Malformed Requests and Responses
++	 *
++	 * A malformed request or response is one that is an otherwise valid
++	 * sequence of frames but is invalid due to:
++	 * - the presence of prohibited fields or pseudo-header fields,
++	 * - the absence of mandatory pseudo-header fields,
++	 * - invalid values for pseudo-header fields,
++	 * - pseudo-header fields after fields,
++	 * - an invalid sequence of HTTP messages,
++	 * - the inclusion of uppercase field names, or
++	 * - the inclusion of invalid characters in field names or values.
++	 *
++	 * [...]
++	 *
++	 * Intermediaries that process HTTP requests or responses (i.e., any
++	 * intermediary not acting as a tunnel) MUST NOT forward a malformed
++	 * request or response. Malformed requests or responses that are
++	 * detected MUST be treated as a stream error of type H3_MESSAGE_ERROR.
++	 */
+ 
+ 	TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+ 
+@@ -416,6 +436,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 		if (isteq(list[hdr_idx].n, ist("")))
+ 			break;
+ 
++		for (i = 0; i < list[hdr_idx].n.len; ++i) {
++			const char c = list[hdr_idx].n.ptr[i];
++			if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
++				TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
++				return -1;
++			}
++		}
++
+ 		if (isteq(list[hdr_idx].n, ist("cookie"))) {
+ 			http_cookie_register(list, hdr_idx, &cookie, &last_cookie);
+ 			continue;
+-- 
+1.7.10.4
+

haproxy.spec

@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.6.6
-Release:          2
+Release:          3
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -18,6 +18,7 @@ Source4:          %{name}.sysconfig
 
 Patch0:           CVE-2023-25725.patch
 Patch1:           CVE-2023-0056.patch
+Patch2:           CVE-2023-25950.patch
 
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 Requires(pre):    shadow-utils
@@ -119,6 +120,9 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Thu Apr 20 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-3
+- Fix CVE-2023-25950
+
 * Sat Feb 25 2023 yaoxin <yaoxin30@h-partners.com> - 2.6.6-2
 - Fix CVE-2023-25725 and CVE-2023-0056