02163d8757
- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug where a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash [CVE-2015-0228], [bnc#918352]. OBS-URL: https://build.opensuse.org/request/show/287376 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=432
51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
|
|
From: Eric Covener <covener@apache.org>
|
|
Date: Wed, 4 Feb 2015 14:44:23 +0000
|
|
Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A
|
|
maliciously crafted websockets PING after a script calls r:wsupgrade()
|
|
can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>]
|
|
|
|
Discovered by Guido Vranken <guidovranken gmail.com>
|
|
|
|
Submitted by: Edward Lu
|
|
Committed by: covener
|
|
|
|
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
|
|
---
|
|
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
|
|
index dded599..1200c55 100644
|
|
--- a/modules/lua/lua_request.c
|
|
+++ b/modules/lua/lua_request.c
|
|
@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
|
|
{
|
|
apr_socket_t *sock;
|
|
apr_status_t rv;
|
|
+ int do_read = 1;
|
|
int n = 0;
|
|
apr_size_t len = 1;
|
|
apr_size_t plen = 0;
|
|
@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
|
|
mask_bytes = apr_pcalloc(r->pool, 4);
|
|
sock = ap_get_conn_socket(r->connection);
|
|
|
|
+ while (do_read) {
|
|
+ do_read = 0;
|
|
/* Get opcode and FIN bit */
|
|
if (plaintext) {
|
|
rv = apr_socket_recv(sock, &byte, &len);
|
|
@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
|
|
frame[0] = 0x8A;
|
|
frame[1] = 0;
|
|
apr_socket_send(sock, frame, &plen); /* Pong! */
|
|
- lua_websocket_read(L); /* read the next frame instead */
|
|
+ do_read = 1;
|
|
}
|
|
}
|
|
}
|
|
+ }
|
|
return 0;
|
|
}
|
|
|