packages/haproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 [sync] PR-36: fix CVE-2021-40346

Browse Source 
From: @openeuler-sync-bot
Reviewed-by: @ruebb
Signed-off-by: @ruebb
This commit is contained in:
openeuler-ci-bot 2021-09-18 06:24:31 +00:00 committed by Gitee
commit bd0ada7c19
2 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
CVE-2021-40346.patch Normal file
View File

@ -0,0 +1,65 @@
From 86f4f281efb933900ebcc4fdaef95f566382d907 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 26 Aug 2021 16:23:37 +0200
Subject: BUG/MAJOR: htx: fix missing header name length check in
htx_add_header/trailer
Shachar Menashe for JFrog Security reported that htx_add_header() and
htx_add_trailer() were missing a length check on the header name. While
this does not allow to overwrite any memory area, it results in bits of
the header name length to slip into the header value length and may
result in forging certain header names on the input. The sad thing here
is that a FIXME comment was present suggesting to add the required length
checks :-(
The injected headers are visible to the HTTP internals and to the config
rules, so haproxy will generally stay synchronized with the server. But
there is one exception which is the content-length header field, because
it is already deduplicated on the input, but before being indexed. As
such, injecting a content-length header after the deduplication stage
may be abused to present a different, shorter one on the other side and
help build a request smuggling attack, or even maybe a response splitting
attack.
As a mitigation measure, it is sufficient to verify that no more than
one such header is present in any message, which is normally the case
thanks to the duplicate checks:
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
This must be backported to all HTX-enabled versions, hence as far as 2.0.
In 2.3 and earlier, the functions are in src/htx.c instead.
Many thanks to Shachar for his work and his responsible report!
[wt: code is in src/htx.c in 2.3 and older]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
src/htx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/src/htx.c
+++ b/src/htx.c
@@ -859,7 +859,9 @@ struct htx_blk *htx_add_header(struct ht
{
struct htx_blk *blk;
- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */
+ if (name.len > 255 || value.len > 1048575)
+ return NULL;
+
blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len);
if (!blk)
return NULL;
@@ -878,7 +880,9 @@ struct htx_blk *htx_add_trailer(struct h
{
struct htx_blk *blk;
- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */
+ if (name.len > 255 || value.len > 1048575)
+ return NULL;
+
blk = htx_add_blk(htx, HTX_BLK_TLR, name.len + value.len);
if (!blk)
return NULL;

7
haproxy.spec
View File

@ -5,7 +5,7 @@
Name: haproxy Name: haproxy
Version: 2.2.16 Version: 2.2.16
Release: 1 Release: 2
Summary: The Reliable, High Performance TCP/HTTP Load Balancer Summary: The Reliable, High Performance TCP/HTTP Load Balancer
License: GPLv2+ License: GPLv2+
@ -16,6 +16,8 @@ Source2: %{name}.cfg
Source3: %{name}.logrotate Source3: %{name}.logrotate
Source4: %{name}.sysconfig Source4: %{name}.sysconfig
Patch0001: CVE-2021-40346.patch
BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd Requires(post): systemd
@ -120,6 +122,9 @@ exit 0
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Sat Sep 18 yaoxin <yaoxin30@huawei.com> - 2.2.16-2
- Fix CVE-2021-40346
* Mon Aug 30 yaoxin <yaoxin30@huawei.com> - 2.2.16-1 * Mon Aug 30 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
- Upgrade 2.2.16 to fix CVE-2021-39240 - Upgrade 2.2.16 to fix CVE-2021-39240