Attachment 178297 Details for Bug 215587 – v1 patch

v1 patch

file_215587.txt (text/plain), 10.55 KB, created by Dave Cottlehuber on 2016-12-26 19:01:09 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dave Cottlehuber

Created: 2016-12-26 19:01:09 UTC

Size: 10.55 KB

patch

obsolete

>From 2aa5d1e73e381927f093bae6161c0a6ccf479ee3 Mon Sep 17 00:00:00 2001
>From: Dave Cottlehuber <dch@skunkwerks.at>
>Date: Mon, 26 Dec 2016 14:45:27 +0000
>Subject: [PATCH] www/h2o: patch for CVE-2016-7835
>
>- include https://github.com/h2o/h2o/commit/1b2b6d7.patch
>- 2.0.5 has too many changes to go into a backported security fix
>---
> security/vuxml/vuln.xml                    |  29 ++++++
> www/h2o/Makefile                           |   2 +-
> www/h2o/distinfo                           |   2 +-
> www/h2o/files/patch-lib_core_request.c     | 145 +++++++++++++++++++++++++++++
> www/h2o/files/patch-lib_http2_connection.c |  10 ++
> 5 files changed, 186 insertions(+), 2 deletions(-)
> create mode 100644 www/h2o/files/patch-lib_core_request.c
> create mode 100644 www/h2o/files/patch-lib_http2_connection.c
>
>diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
>index 77abe12..3c9a450 100644
>--- a/security/vuxml/vuln.xml
>+++ b/security/vuxml/vuln.xml
>@@ -58,6 +58,35 @@ Notes:
>   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+  <vuln vid="d0b12952-cb86-11e6-906f-0cc47a065786">
>+    <topic>www/h2o -- Use-after-free vulnerability</topic>
>+    <affects>
>+      <package>
>+	<name>h2o</name>
>+	<range><lt>2.0.4_2</lt></range>
>+      </package>
>+    </affects>
>+    <description>
>+      <body xmlns="http://www.w3.org/1999/xhtml">
>+	<p>Kazuho Oku reports:</p>
>+	<blockquote cite="https://github.com/h2o/h2o/issues?q=label%3Avulnerability">
>+	  <p>A use-after-free vulnerability exists in H2O up to and including
>+	    version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to
>+	    mount DoS attacks and / or information theft.
>+	  </p>
>+	</blockquote>
>+      </body>
>+    </description>
>+    <references>
>+      <url>https://github.com/h2o/h2o/releases/tag/v2.0.5</url>
>+      <url>https://github.com/h2o/h2o/issues/1144</url>
>+    </references>
>+    <dates>
>+      <discovery>2016-09-09</discovery>
>+      <entry>2016-12-21</entry>
>+    </dates>
>+  </vuln>
>+
>   <vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf">
>     <topic>phpmailer -- Remote Code Execution</topic>
>     <affects>
>diff --git a/www/h2o/Makefile b/www/h2o/Makefile
>index 7786227..5d8b422 100644
>--- a/www/h2o/Makefile
>+++ b/www/h2o/Makefile
>@@ -5,7 +5,7 @@ PORTNAME=	h2o
> PORTVERSION=	2.0.4
> PORTREVISION=	1
> DISTVERSIONPREFIX=	v
>-PORTREVISION=	1
>+PORTREVISION=	2
> CATEGORIES=	www
> 
> MAINTAINER=	dch@skunkwerks.at
>diff --git a/www/h2o/distinfo b/www/h2o/distinfo
>index 272d628..f0e5174 100644
>--- a/www/h2o/distinfo
>+++ b/www/h2o/distinfo
>@@ -1,3 +1,3 @@
>-TIMESTAMP = 1473753131
>+TIMESTAMP = 1482767274
> SHA256 (h2o-h2o-v2.0.4_GH0.tar.gz) = c0efa18f0ffb0f68ee4b60a6ed1feb54c770458c59e48baa2d9d0906ef9c68c0
> SIZE (h2o-h2o-v2.0.4_GH0.tar.gz) = 15015392
>diff --git a/www/h2o/files/patch-lib_core_request.c b/www/h2o/files/patch-lib_core_request.c
>new file mode 100644
>index 0000000..789c2cd
>--- /dev/null
>+++ b/www/h2o/files/patch-lib_core_request.c
>@@ -0,0 +1,145 @@
>+--- lib/core/request.c.orig	2016-09-13 06:57:03 UTC
>++++ lib/core/request.c
>+@@ -31,21 +31,24 @@
>+ 
>+ #define INITIAL_INBUFSZ 8192
>+ 
>+-struct st_delegate_request_deferred_t {
>++struct st_deferred_request_action_t {
>++    h2o_timeout_entry_t timeout;
>+     h2o_req_t *req;
>++};
>++
>++struct st_delegate_request_deferred_t {
>++    struct st_deferred_request_action_t super;
>+     h2o_handler_t *current_handler;
>+-    h2o_timeout_entry_t _timeout;
>+ };
>+ 
>+ struct st_reprocess_request_deferred_t {
>+-    h2o_req_t *req;
>++    struct st_deferred_request_action_t super;
>+     h2o_iovec_t method;
>+     const h2o_url_scheme_t *scheme;
>+     h2o_iovec_t authority;
>+     h2o_iovec_t path;
>+     h2o_req_overrides_t *overrides;
>+     int is_delegated;
>+-    h2o_timeout_entry_t _timeout;
>+ };
>+ 
>+ struct st_send_error_deferred_t {
>+@@ -57,6 +60,21 @@ struct st_send_error_deferred_t {
>+     h2o_timeout_entry_t _timeout;
>+ };
>+ 
>++static void on_deferred_action_dispose(void *_action)
>++{
>++    struct st_deferred_request_action_t *action = _action;
>++    if (h2o_timeout_is_linked(&action->timeout))
>++        h2o_timeout_unlink(&action->timeout);
>++}
>++
>++static struct st_deferred_request_action_t *create_deferred_action(h2o_req_t *req, size_t sz, h2o_timeout_cb cb)
>++{
>++    struct st_deferred_request_action_t *action = h2o_mem_alloc_shared(&req->pool, sz, on_deferred_action_dispose);
>++    *action = (struct st_deferred_request_action_t){{0, cb}, req};
>++    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &action->timeout);
>++    return action;
>++}
>++
>+ static h2o_hostconf_t *find_hostconf(h2o_hostconf_t **hostconfs, h2o_iovec_t authority, uint16_t default_port)
>+ {
>+     h2o_iovec_t hostname;
>+@@ -205,6 +223,7 @@ void h2o_init_request(h2o_req_t *req, h2
>+     req->preferred_chunk_size = SIZE_MAX;
>+ 
>+     if (src != NULL) {
>++        size_t i;
>+ #define COPY(buf)                                                                                                                  \
>+     do {                                                                                                                           \
>+         req->buf.base = h2o_mem_alloc_pool(&req->pool, src->buf.len);                                                              \
>+@@ -216,9 +235,6 @@ void h2o_init_request(h2o_req_t *req, h2
>+         COPY(input.path);
>+         req->input.scheme = src->input.scheme;
>+         req->version = src->version;
>+-        h2o_vector_reserve(&req->pool, &req->headers, src->headers.size);
>+-        memcpy(req->headers.entries, src->headers.entries, sizeof(req->headers.entries[0]) * src->headers.size);
>+-        req->headers.size = src->headers.size;
>+         req->entity = src->entity;
>+         req->http1_is_persistent = src->http1_is_persistent;
>+         req->timestamps = src->timestamps;
>+@@ -229,8 +245,19 @@ void h2o_init_request(h2o_req_t *req, h2
>+             req->upgrade.len = 0;
>+         }
>+ #undef COPY
>++        h2o_vector_reserve(&req->pool, &req->headers, src->headers.size);
>++        req->headers.size = src->headers.size;
>++        for (i = 0; i != src->headers.size; ++i) {
>++            h2o_header_t *dst_header = req->headers.entries + i, *src_header = src->headers.entries + i;
>++            if (h2o_iovec_is_token(src_header->name)) {
>++                dst_header->name = src_header->name;
>++            } else {
>++                dst_header->name = h2o_mem_alloc_pool(&req->pool, sizeof(*dst_header->name));
>++                *dst_header->name = h2o_strdup(&req->pool, src_header->name->base, src_header->name->len);
>++            }
>++            dst_header->value = h2o_strdup(&req->pool, src_header->value.base, src_header->value.len);
>++        }
>+         if (src->env.size != 0) {
>+-            size_t i;
>+             h2o_vector_reserve(&req->pool, &req->env, src->env.size);
>+             req->env.size = src->env.size;
>+             for (i = 0; i != req->env.size; ++i)
>+@@ -276,16 +303,16 @@ void h2o_delegate_request(h2o_req_t *req
>+ 
>+ static void on_delegate_request_cb(h2o_timeout_entry_t *entry)
>+ {
>+-    struct st_delegate_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, _timeout, entry);
>+-    h2o_delegate_request(args->req, args->current_handler);
>++    struct st_delegate_request_deferred_t *args =
>++        H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, super.timeout, entry);
>++    h2o_delegate_request(args->super.req, args->current_handler);
>+ }
>+ 
>+ void h2o_delegate_request_deferred(h2o_req_t *req, h2o_handler_t *current_handler)
>+ {
>+-    struct st_delegate_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args));
>+-    *args = (struct st_delegate_request_deferred_t){req, current_handler};
>+-    args->_timeout.cb = on_delegate_request_cb;
>+-    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout);
>++    struct st_delegate_request_deferred_t *args =
>++        (struct st_delegate_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_delegate_request_cb);
>++    args->current_handler = current_handler;
>+ }
>+ 
>+ void h2o_reprocess_request(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority,
>+@@ -335,17 +362,23 @@ void h2o_reprocess_request(h2o_req_t *re
>+ 
>+ static void on_reprocess_request_cb(h2o_timeout_entry_t *entry)
>+ {
>+-    struct st_reprocess_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, _timeout, entry);
>+-    h2o_reprocess_request(args->req, args->method, args->scheme, args->authority, args->path, args->overrides, args->is_delegated);
>++    struct st_reprocess_request_deferred_t *args =
>++        H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, super.timeout, entry);
>++    h2o_reprocess_request(args->super.req, args->method, args->scheme, args->authority, args->path, args->overrides,
>++                          args->is_delegated);
>+ }
>+ 
>+ void h2o_reprocess_request_deferred(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority,
>+                                     h2o_iovec_t path, h2o_req_overrides_t *overrides, int is_delegated)
>+ {
>+-    struct st_reprocess_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args));
>+-    *args = (struct st_reprocess_request_deferred_t){req, method, scheme, authority, path, overrides, is_delegated};
>+-    args->_timeout.cb = on_reprocess_request_cb;
>+-    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout);
>++    struct st_reprocess_request_deferred_t *args =
>++        (struct st_reprocess_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_reprocess_request_cb);
>++    args->method = method;
>++    args->scheme = scheme;
>++    args->authority = authority;
>++    args->path = path;
>++    args->overrides = overrides;
>++    args->is_delegated = is_delegated;
>+ }
>+ 
>+ void h2o_start_response(h2o_req_t *req, h2o_generator_t *generator)
>diff --git a/www/h2o/files/patch-lib_http2_connection.c b/www/h2o/files/patch-lib_http2_connection.c
>new file mode 100644
>index 0000000..1c8cd28
>--- /dev/null
>+++ b/www/h2o/files/patch-lib_http2_connection.c
>@@ -0,0 +1,10 @@
>+--- lib/http2/connection.c.orig	2016-09-13 06:57:03 UTC
>++++ lib/http2/connection.c
>+@@ -1329,6 +1329,7 @@ int h2o_http2_handle_upgrade(h2o_req_t *
>+ 
>+     return 0;
>+ Error:
>++    h2o_linklist_unlink(&http2conn->_conns);
>+     free(http2conn);
>+     return -1;
>+ }

Actions: View

Attachments on bug 215587: 178297