apache2/httpd-2.4.x-mod_lua_websocket_DoS.patch

From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 4 Feb 2015 14:44:23 +0000
Subject: [PATCH]   *) SECURITY: CVE-2015-0228 (cve.mitre.org)      mod_lua: A
 maliciously crafted websockets PING after a script      calls r:wsupgrade()
 can cause a child process crash.      [Edward Lu <Chaosed0 gmail.com>]

Discovered by Guido Vranken <guidovranken gmail.com>

Submitted by: Edward Lu
Committed by: covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index dded599..1200c55 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
 {
     apr_socket_t *sock;
     apr_status_t rv;
+    int do_read = 1;
     int n = 0;
     apr_size_t len = 1;
     apr_size_t plen = 0;
@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
     mask_bytes = apr_pcalloc(r->pool, 4);
     sock = ap_get_conn_socket(r->connection);
 
+    while (do_read) { 
+    do_read = 0;
     /* Get opcode and FIN bit */
     if (plaintext) {
         rv = apr_socket_recv(sock, &byte, &len);
@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
                 frame[0] = 0x8A;
                 frame[1] = 0;
                 apr_socket_send(sock, frame, &plen); /* Pong! */
-                lua_websocket_read(L); /* read the next frame instead */
+                do_read = 1;
             }
         }
     }
+    }
     return 0;
 }
Accepting request 287376 from home:kstreitova:branches:Apache - add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug where a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash [CVE-2015-0228], [bnc#918352]. OBS-URL: https://build.opensuse.org/request/show/287376 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=432 2015-02-24 02:47:47 +01:00			`From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001`
			`From: Eric Covener <covener@apache.org>`
			`Date: Wed, 4 Feb 2015 14:44:23 +0000`
			`Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A`
			`maliciously crafted websockets PING after a script calls r:wsupgrade()`
			`can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>]`

			`Discovered by Guido Vranken <guidovranken gmail.com>`

			`Submitted by: Edward Lu`
			`Committed by: covener`



			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c`
			`index dded599..1200c55 100644`
			`--- a/modules/lua/lua_request.c`
			`+++ b/modules/lua/lua_request.c`
			`@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)`
			`{`
			`apr_socket_t *sock;`
			`apr_status_t rv;`
			`+ int do_read = 1;`
			`int n = 0;`
			`apr_size_t len = 1;`
			`apr_size_t plen = 0;`
			`@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)`
			`mask_bytes = apr_pcalloc(r->pool, 4);`
			`sock = ap_get_conn_socket(r->connection);`

			`+ while (do_read) {`
			`+ do_read = 0;`
			`/* Get opcode and FIN bit */`
			`if (plaintext) {`
			`rv = apr_socket_recv(sock, &byte, &len);`
			`@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)`
			`frame[0] = 0x8A;`
			`frame[1] = 0;`
			`apr_socket_send(sock, frame, &plen); /* Pong! */`
			`- lua_websocket_read(L); /* read the next frame instead */`
			`+ do_read = 1;`
			`}`
			`}`
			`}`
			`+ }`
			`return 0;`
			`}`