Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Hoffmann (hoffie)" <hoffie@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in www-servers/lighttpd/files: 1.4.25-fix-CVE-2010-0295.patch
Date: Mon, 01 Feb 2010 23:48:06
Message-Id: E1Nc5zn-00054n-V9@stork.gentoo.org
1 hoffie 10/02/01 23:47:55
2
3 Added: 1.4.25-fix-CVE-2010-0295.patch
4 Log:
5 revision bump with fix for CVE-2010-0295, straight to stable on amd64
6 (Portage version: 2.1.7.16/cvs/Linux x86_64, RepoMan options: --force)
7
8 Revision Changes Path
9 1.1 www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch
10
11 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch?rev=1.1&view=markup
12 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch?rev=1.1&content-type=text/plain
13
14 Index: 1.4.25-fix-CVE-2010-0295.patch
15 ===================================================================
16 Index: branches/lighttpd-1.4.x/src/base.h
17 ===================================================================
18 --- branches/lighttpd-1.4.x/src/base.h (revision 2709)
19 +++ branches/lighttpd-1.4.x/src/base.h (revision 2710)
20 @@ -431,7 +431,6 @@
21
22 #ifdef USE_OPENSSL
23 SSL *ssl;
24 - buffer *ssl_error_want_reuse_buffer;
25 # ifndef OPENSSL_NO_TLSEXT
26 buffer *tlsext_server_name;
27 # endif
28 Index: branches/lighttpd-1.4.x/src/connections.c
29 ===================================================================
30 --- branches/lighttpd-1.4.x/src/connections.c (revision 2709)
31 +++ branches/lighttpd-1.4.x/src/connections.c (revision 2710)
32 @@ -192,40 +192,42 @@
33
34 static int connection_handle_read_ssl(server *srv, connection *con) {
35 #ifdef USE_OPENSSL
36 - int r, ssl_err, len, count = 0;
37 + int r, ssl_err, len, count = 0, read_offset, toread;
38 buffer *b = NULL;
39
40 if (!con->conf.is_ssl) return -1;
41
42 - /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
43 -
44 ERR_clear_error();
45 do {
46 - if (!con->ssl_error_want_reuse_buffer) {
47 - b = buffer_init();
48 - buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */
49 + if (NULL != con->read_queue->last) {
50 + b = con->read_queue->last->mem;
51 + }
52
53 + if (NULL == b || b->size - b->used < 1024) {
54 + b = chunkqueue_get_append_buffer(con->read_queue);
55 + len = SSL_pending(con->ssl);
56 + if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */
57 + buffer_prepare_copy(b, len + 1);
58 +
59 /* overwrite everything with 0 */
60 memset(b->ptr, 0, b->size);
61 - } else {
62 - b = con->ssl_error_want_reuse_buffer;
63 }
64
65 - len = SSL_read(con->ssl, b->ptr, b->size - 1);
66 - con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */
67 + read_offset = (b->used > 0) ? b->used - 1 : 0;
68 + toread = b->size - 1 - read_offset;
69
70 + len = SSL_read(con->ssl, b->ptr + read_offset, toread);
71 +
72 if (len > 0) {
73 - b->used = len;
74 + if (b->used > 0) b->used--;
75 + b->used += len;
76 b->ptr[b->used++] = '\0';
77
78 - /* we move the buffer to the chunk-queue, no need to free it */
79 + con->bytes_read += len;
80
81 - chunkqueue_append_buffer_weak(con->read_queue, b);
82 count += len;
83 - con->bytes_read += len;
84 - b = NULL;
85 }
86 - } while (len > 0 && count < MAX_READ_LIMIT);
87 + } while (len == toread && count < MAX_READ_LIMIT);
88
89
90 if (len < 0) {
91 @@ -234,11 +236,11 @@
92 case SSL_ERROR_WANT_READ:
93 case SSL_ERROR_WANT_WRITE:
94 con->is_readable = 0;
95 - con->ssl_error_want_reuse_buffer = b;
96
97 - b = NULL;
98 + /* the manual says we have to call SSL_read with the same arguments next time.
99 + * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway.
100 + */
101
102 - /* we have to steal the buffer from the queue-queue */
103 return 0;
104 case SSL_ERROR_SYSCALL:
105 /**
106 @@ -297,16 +299,11 @@
107
108 connection_set_state(srv, con, CON_STATE_ERROR);
109
110 - buffer_free(b);
111 -
112 return -1;
113 } else if (len == 0) {
114 con->is_readable = 0;
115 /* the other end close the connection -> KEEP-ALIVE */
116
117 - /* pipelining */
118 - buffer_free(b);
119 -
120 return -2;
121 }
122
123 @@ -321,26 +318,41 @@
124 static int connection_handle_read(server *srv, connection *con) {
125 int len;
126 buffer *b;
127 - int toread;
128 + int toread, read_offset;
129
130 if (con->conf.is_ssl) {
131 return connection_handle_read_ssl(srv, con);
132 }
133
134 + b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL;
135 +
136 + /* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells
137 + * us more than 4kb is available
138 + * if FIONREAD doesn't signal a big chunk we fill the previous buffer
139 + * if it has >= 1kb free
140 + */
141 #if defined(__WIN32)
142 - b = chunkqueue_get_append_buffer(con->read_queue);
143 - buffer_prepare_copy(b, 4 * 1024);
144 - len = recv(con->fd, b->ptr, b->size - 1, 0);
145 -#else
146 - if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) {
147 + if (NULL == b || b->size - b->used < 1024) {
148 b = chunkqueue_get_append_buffer(con->read_queue);
149 buffer_prepare_copy(b, 4 * 1024);
150 + }
151 +
152 + read_offset = (b->used == 0) ? 0 : b->used - 1;
153 + len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0);
154 +#else
155 + if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) {
156 + if (NULL == b || b->size - b->used < 1024) {
157 + b = chunkqueue_get_append_buffer(con->read_queue);
158 + buffer_prepare_copy(b, 4 * 1024);
159 + }
160 } else {
161 if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
162 b = chunkqueue_get_append_buffer(con->read_queue);
163 buffer_prepare_copy(b, toread + 1);
164 }
165 - len = read(con->fd, b->ptr, b->size - 1);
166 +
167 + read_offset = (b->used == 0) ? 0 : b->used - 1;
168 + len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset);
169 #endif
170
171 if (len < 0) {
172 @@ -374,7 +386,8 @@
173 con->is_readable = 0;
174 }
175
176 - b->used = len;
177 + if (b->used > 0) b->used--;
178 + b->used += len;
179 b->ptr[b->used++] = '\0';
180
181 con->bytes_read += len;
182 @@ -850,13 +863,6 @@
183 /* The cond_cache gets reset in response.c */
184 /* config_cond_cache_reset(srv, con); */
185
186 -#ifdef USE_OPENSSL
187 - if (con->ssl_error_want_reuse_buffer) {
188 - buffer_free(con->ssl_error_want_reuse_buffer);
189 - con->ssl_error_want_reuse_buffer = NULL;
190 - }
191 -#endif
192 -
193 con->header_len = 0;
194 con->in_error_handler = 0;
195
196 @@ -1128,8 +1134,15 @@
197 } else {
198 buffer *b;
199
200 - b = chunkqueue_get_append_buffer(dst_cq);
201 - buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead);
202 + if (dst_cq->last &&
203 + dst_cq->last->type == MEM_CHUNK) {
204 + b = dst_cq->last->mem;
205 + } else {
206 + b = chunkqueue_get_append_buffer(dst_cq);
207 + /* prepare buffer size for remaining POST data; is < 64kb */
208 + buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1);
209 + }
210 + buffer_append_string_len(b, c->mem->ptr + c->offset, toRead);
211 }
212
213 c->offset += toRead;
214 Index: branches/lighttpd-1.4.x/src/chunk.c
215 ===================================================================
216 --- branches/lighttpd-1.4.x/src/chunk.c (revision 2709)
217 +++ branches/lighttpd-1.4.x/src/chunk.c (revision 2710)
218 @@ -197,8 +197,6 @@
219 int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) {
220 chunk *c;
221
222 - if (mem->used == 0) return 0;
223 -
224 c = chunkqueue_get_unused_chunk(cq);
225 c->type = MEM_CHUNK;
226 c->offset = 0;
Report Message
Find on MARC Find on Google Groups