Fix CVE-2022-0711
(cherry picked from commit 17c626c09e0d6a67c8fb41e36654404e05ac7c93)
This commit is contained in:
starlet-dx
openeuler-sync-bot
parent
95cd8ff9dd
commit
212366e9a1
40
CVE-2022-0711.patch
Normal file
40
CVE-2022-0711.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew McDermott <aim@frobware.com>
|
||||
Date: Fri, 11 Feb 2022 18:26:49 +0000
|
||||
Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
|
||||
http_manage_server_side_cookies
|
||||
|
||||
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
|
||||
header is found then the while(1) loop in
|
||||
http_manage_server_side_cookies() will never terminate, resulting in
|
||||
the watchdog firing and the process terminating via SIGABRT.
|
||||
|
||||
The while(1) loop becomes unbounded because an unmatched call to
|
||||
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
|
||||
calls to check for "Set-Cookie2" will now enumerate from the beginning
|
||||
of all the blocks and will once again match on subsequent
|
||||
passes (assuming a match first time around), hence the loop becoming
|
||||
unbounded.
|
||||
|
||||
This issue was introduced with HTX and this fix should be backported
|
||||
to all versions supporting HTX.
|
||||
|
||||
Many thanks to Grant Spence (gspence@redhat.com) for working through
|
||||
this issue with me.
|
||||
---
|
||||
src/http_ana.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/http_ana.c b/src/http_ana.c
|
||||
index 715dd3a5c5..c2d9d9b439 100644
|
||||
--- a/src/http_ana.c
|
||||
+++ b/src/http_ana.c
|
||||
@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
|
||||
while (1) {
|
||||
int is_first = 1;
|
||||
|
||||
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
|
||||
break;
|
||||
is_cookie2 = 1;
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
Name: haproxy
|
||||
Version: 2.2.16
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
|
||||
|
||||
License: GPLv2+
|
||||
@ -17,6 +17,7 @@ Source3: %{name}.logrotate
|
||||
Source4: %{name}.sysconfig
|
||||
|
||||
Patch0001: CVE-2021-40346.patch
|
||||
Patch0002: CVE-2022-0711.patch
|
||||
|
||||
BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
|
||||
Requires: %{name}-help = %{version}-%{release}
|
||||
@ -124,6 +125,9 @@ exit 0
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.2.16-3
|
||||
- Fix CVE-2022-0711
|
||||
|
||||
* Sat Sep 18 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-2
|
||||
- Fix CVE-2021-40346
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user