1 |
hoffie 10/02/01 23:47:55 |
2 |
|
3 |
Added: 1.4.25-fix-CVE-2010-0295.patch |
4 |
Log: |
5 |
revision bump with fix for CVE-2010-0295, straight to stable on amd64 |
6 |
(Portage version: 2.1.7.16/cvs/Linux x86_64, RepoMan options: --force) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: 1.4.25-fix-CVE-2010-0295.patch |
15 |
=================================================================== |
16 |
Index: branches/lighttpd-1.4.x/src/base.h |
17 |
=================================================================== |
18 |
--- branches/lighttpd-1.4.x/src/base.h (revision 2709) |
19 |
+++ branches/lighttpd-1.4.x/src/base.h (revision 2710) |
20 |
@@ -431,7 +431,6 @@ |
21 |
|
22 |
#ifdef USE_OPENSSL |
23 |
SSL *ssl; |
24 |
- buffer *ssl_error_want_reuse_buffer; |
25 |
# ifndef OPENSSL_NO_TLSEXT |
26 |
buffer *tlsext_server_name; |
27 |
# endif |
28 |
Index: branches/lighttpd-1.4.x/src/connections.c |
29 |
=================================================================== |
30 |
--- branches/lighttpd-1.4.x/src/connections.c (revision 2709) |
31 |
+++ branches/lighttpd-1.4.x/src/connections.c (revision 2710) |
32 |
@@ -192,40 +192,42 @@ |
33 |
|
34 |
static int connection_handle_read_ssl(server *srv, connection *con) { |
35 |
#ifdef USE_OPENSSL |
36 |
- int r, ssl_err, len, count = 0; |
37 |
+ int r, ssl_err, len, count = 0, read_offset, toread; |
38 |
buffer *b = NULL; |
39 |
|
40 |
if (!con->conf.is_ssl) return -1; |
41 |
|
42 |
- /* don't resize the buffer if we were in SSL_ERROR_WANT_* */ |
43 |
- |
44 |
ERR_clear_error(); |
45 |
do { |
46 |
- if (!con->ssl_error_want_reuse_buffer) { |
47 |
- b = buffer_init(); |
48 |
- buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */ |
49 |
+ if (NULL != con->read_queue->last) { |
50 |
+ b = con->read_queue->last->mem; |
51 |
+ } |
52 |
|
53 |
+ if (NULL == b || b->size - b->used < 1024) { |
54 |
+ b = chunkqueue_get_append_buffer(con->read_queue); |
55 |
+ len = SSL_pending(con->ssl); |
56 |
+ if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */ |
57 |
+ buffer_prepare_copy(b, len + 1); |
58 |
+ |
59 |
/* overwrite everything with 0 */ |
60 |
memset(b->ptr, 0, b->size); |
61 |
- } else { |
62 |
- b = con->ssl_error_want_reuse_buffer; |
63 |
} |
64 |
|
65 |
- len = SSL_read(con->ssl, b->ptr, b->size - 1); |
66 |
- con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */ |
67 |
+ read_offset = (b->used > 0) ? b->used - 1 : 0; |
68 |
+ toread = b->size - 1 - read_offset; |
69 |
|
70 |
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread); |
71 |
+ |
72 |
if (len > 0) { |
73 |
- b->used = len; |
74 |
+ if (b->used > 0) b->used--; |
75 |
+ b->used += len; |
76 |
b->ptr[b->used++] = '\0'; |
77 |
|
78 |
- /* we move the buffer to the chunk-queue, no need to free it */ |
79 |
+ con->bytes_read += len; |
80 |
|
81 |
- chunkqueue_append_buffer_weak(con->read_queue, b); |
82 |
count += len; |
83 |
- con->bytes_read += len; |
84 |
- b = NULL; |
85 |
} |
86 |
- } while (len > 0 && count < MAX_READ_LIMIT); |
87 |
+ } while (len == toread && count < MAX_READ_LIMIT); |
88 |
|
89 |
|
90 |
if (len < 0) { |
91 |
@@ -234,11 +236,11 @@ |
92 |
case SSL_ERROR_WANT_READ: |
93 |
case SSL_ERROR_WANT_WRITE: |
94 |
con->is_readable = 0; |
95 |
- con->ssl_error_want_reuse_buffer = b; |
96 |
|
97 |
- b = NULL; |
98 |
+ /* the manual says we have to call SSL_read with the same arguments next time. |
99 |
+ * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway. |
100 |
+ */ |
101 |
|
102 |
- /* we have to steal the buffer from the queue-queue */ |
103 |
return 0; |
104 |
case SSL_ERROR_SYSCALL: |
105 |
/** |
106 |
@@ -297,16 +299,11 @@ |
107 |
|
108 |
connection_set_state(srv, con, CON_STATE_ERROR); |
109 |
|
110 |
- buffer_free(b); |
111 |
- |
112 |
return -1; |
113 |
} else if (len == 0) { |
114 |
con->is_readable = 0; |
115 |
/* the other end close the connection -> KEEP-ALIVE */ |
116 |
|
117 |
- /* pipelining */ |
118 |
- buffer_free(b); |
119 |
- |
120 |
return -2; |
121 |
} |
122 |
|
123 |
@@ -321,26 +318,41 @@ |
124 |
static int connection_handle_read(server *srv, connection *con) { |
125 |
int len; |
126 |
buffer *b; |
127 |
- int toread; |
128 |
+ int toread, read_offset; |
129 |
|
130 |
if (con->conf.is_ssl) { |
131 |
return connection_handle_read_ssl(srv, con); |
132 |
} |
133 |
|
134 |
+ b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL; |
135 |
+ |
136 |
+ /* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells |
137 |
+ * us more than 4kb is available |
138 |
+ * if FIONREAD doesn't signal a big chunk we fill the previous buffer |
139 |
+ * if it has >= 1kb free |
140 |
+ */ |
141 |
#if defined(__WIN32) |
142 |
- b = chunkqueue_get_append_buffer(con->read_queue); |
143 |
- buffer_prepare_copy(b, 4 * 1024); |
144 |
- len = recv(con->fd, b->ptr, b->size - 1, 0); |
145 |
-#else |
146 |
- if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) { |
147 |
+ if (NULL == b || b->size - b->used < 1024) { |
148 |
b = chunkqueue_get_append_buffer(con->read_queue); |
149 |
buffer_prepare_copy(b, 4 * 1024); |
150 |
+ } |
151 |
+ |
152 |
+ read_offset = (b->used == 0) ? 0 : b->used - 1; |
153 |
+ len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0); |
154 |
+#else |
155 |
+ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) { |
156 |
+ if (NULL == b || b->size - b->used < 1024) { |
157 |
+ b = chunkqueue_get_append_buffer(con->read_queue); |
158 |
+ buffer_prepare_copy(b, 4 * 1024); |
159 |
+ } |
160 |
} else { |
161 |
if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT; |
162 |
b = chunkqueue_get_append_buffer(con->read_queue); |
163 |
buffer_prepare_copy(b, toread + 1); |
164 |
} |
165 |
- len = read(con->fd, b->ptr, b->size - 1); |
166 |
+ |
167 |
+ read_offset = (b->used == 0) ? 0 : b->used - 1; |
168 |
+ len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset); |
169 |
#endif |
170 |
|
171 |
if (len < 0) { |
172 |
@@ -374,7 +386,8 @@ |
173 |
con->is_readable = 0; |
174 |
} |
175 |
|
176 |
- b->used = len; |
177 |
+ if (b->used > 0) b->used--; |
178 |
+ b->used += len; |
179 |
b->ptr[b->used++] = '\0'; |
180 |
|
181 |
con->bytes_read += len; |
182 |
@@ -850,13 +863,6 @@ |
183 |
/* The cond_cache gets reset in response.c */ |
184 |
/* config_cond_cache_reset(srv, con); */ |
185 |
|
186 |
-#ifdef USE_OPENSSL |
187 |
- if (con->ssl_error_want_reuse_buffer) { |
188 |
- buffer_free(con->ssl_error_want_reuse_buffer); |
189 |
- con->ssl_error_want_reuse_buffer = NULL; |
190 |
- } |
191 |
-#endif |
192 |
- |
193 |
con->header_len = 0; |
194 |
con->in_error_handler = 0; |
195 |
|
196 |
@@ -1128,8 +1134,15 @@ |
197 |
} else { |
198 |
buffer *b; |
199 |
|
200 |
- b = chunkqueue_get_append_buffer(dst_cq); |
201 |
- buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead); |
202 |
+ if (dst_cq->last && |
203 |
+ dst_cq->last->type == MEM_CHUNK) { |
204 |
+ b = dst_cq->last->mem; |
205 |
+ } else { |
206 |
+ b = chunkqueue_get_append_buffer(dst_cq); |
207 |
+ /* prepare buffer size for remaining POST data; is < 64kb */ |
208 |
+ buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1); |
209 |
+ } |
210 |
+ buffer_append_string_len(b, c->mem->ptr + c->offset, toRead); |
211 |
} |
212 |
|
213 |
c->offset += toRead; |
214 |
Index: branches/lighttpd-1.4.x/src/chunk.c |
215 |
=================================================================== |
216 |
--- branches/lighttpd-1.4.x/src/chunk.c (revision 2709) |
217 |
+++ branches/lighttpd-1.4.x/src/chunk.c (revision 2710) |
218 |
@@ -197,8 +197,6 @@ |
219 |
int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) { |
220 |
chunk *c; |
221 |
|
222 |
- if (mem->used == 0) return 0; |
223 |
- |
224 |
c = chunkqueue_get_unused_chunk(cq); |
225 |
c->type = MEM_CHUNK; |
226 |
c->offset = 0; |