Ver código fonte

tinyproxy: fix CVE-2012-3505

Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth 10 anos atrás
pai
commit
3ed912434f

+ 1
- 1
net/tinyproxy/Makefile Ver arquivo

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
9 9
 
10 10
 PKG_NAME:=tinyproxy
11 11
 PKG_VERSION:=1.8.3
12
-PKG_RELEASE:=1
12
+PKG_RELEASE:=2
13 13
 
14 14
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
15 15
 PKG_SOURCE_URL:=http://www.banu.com/pub/tinyproxy/1.8/

+ 101
- 0
net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch Ver arquivo

@@ -0,0 +1,101 @@
1
+--- a/src/child.c
2
++++ b/src/child.c
3
+@@ -20,6 +20,9 @@
4
+  * processing incoming connections.
5
+  */
6
+ 
7
++#include <stdlib.h>
8
++#include <time.h>
9
++
10
+ #include "main.h"
11
+ 
12
+ #include "child.h"
13
+@@ -196,6 +199,7 @@ static void child_main (struct child_s *
14
+         }
15
+ 
16
+         ptr->connects = 0;
17
++	srand(time(NULL));
18
+ 
19
+         while (!config.quit) {
20
+                 ptr->status = T_WAITING;
21
+--- a/src/hashmap.c
22
++++ b/src/hashmap.c
23
+@@ -25,6 +25,8 @@
24
+  * don't try to free the data, or realloc the memory. :)
25
+  */
26
+ 
27
++#include <stdlib.h>
28
++
29
+ #include "main.h"
30
+ 
31
+ #include "hashmap.h"
32
+@@ -50,6 +52,7 @@ struct hashbucket_s {
33
+ };
34
+ 
35
+ struct hashmap_s {
36
++        uint32_t seed;
37
+         unsigned int size;
38
+         hashmap_iter end_iterator;
39
+ 
40
+@@ -65,7 +68,7 @@ struct hashmap_s {
41
+  *
42
+  * If any of the arguments are invalid a negative number is returned.
43
+  */
44
+-static int hashfunc (const char *key, unsigned int size)
45
++static int hashfunc (const char *key, unsigned int size, uint32_t seed)
46
+ {
47
+         uint32_t hash;
48
+ 
49
+@@ -74,7 +77,7 @@ static int hashfunc (const char *key, un
50
+         if (size == 0)
51
+                 return -ERANGE;
52
+ 
53
+-        for (hash = tolower (*key++); *key != '\0'; key++) {
54
++        for (hash = seed; *key != '\0'; key++) {
55
+                 uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
56
+ 
57
+                 hash >>= 1;
58
+@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int n
59
+         if (!ptr)
60
+                 return NULL;
61
+ 
62
++	ptr->seed = (uint32_t)rand();
63
+         ptr->size = nbuckets;
64
+         ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
65
+                                                            sizeof (struct
66
+@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const cha
67
+         if (!data || len < 1)
68
+                 return -ERANGE;
69
+ 
70
+-        hash = hashfunc (key, map->size);
71
++        hash = hashfunc (key, map->size, map->seed);
72
+         if (hash < 0)
73
+                 return hash;
74
+ 
75
+@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, c
76
+         if (map == NULL || key == NULL)
77
+                 return -EINVAL;
78
+ 
79
+-        hash = hashfunc (key, map->size);
80
++        hash = hashfunc (key, map->size, map->seed);
81
+         if (hash < 0)
82
+                 return hash;
83
+ 
84
+@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t
85
+         if (!map || !key || !data)
86
+                 return -EINVAL;
87
+ 
88
+-        hash = hashfunc (key, map->size);
89
++        hash = hashfunc (key, map->size, map->seed);
90
+         if (hash < 0)
91
+                 return hash;
92
+ 
93
+@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, c
94
+         if (map == NULL || key == NULL)
95
+                 return -EINVAL;
96
+ 
97
+-        hash = hashfunc (key, map->size);
98
++        hash = hashfunc (key, map->size, map->seed);
99
+         if (hash < 0)
100
+                 return hash;
101
+ 

+ 44
- 0
net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch Ver arquivo

@@ -0,0 +1,44 @@
1
+--- a/src/reqs.c
2
++++ b/src/reqs.c
3
+@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hash
4
+         return hashmap_insert (hashofheaders, header, sep, len);
5
+ }
6
+ 
7
++/* define max number of headers. big enough to handle legitimate cases,
8
++ * but limited to avoid DoS 
9
++ */
10
++#define MAX_HEADERS 10000
11
++
12
+ /*
13
+  * Read all the headers from the stream
14
+  */
15
+@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hash
16
+ {
17
+         char *line = NULL;
18
+         char *header = NULL;
19
++	int count;
20
+         char *tmp;
21
+         ssize_t linelen;
22
+         ssize_t len = 0;
23
+@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hash
24
+         assert (fd >= 0);
25
+         assert (hashofheaders != NULL);
26
+ 
27
+-        for (;;) {
28
++        for (count = 0; count < MAX_HEADERS; count++) {
29
+                 if ((linelen = readline (fd, &line)) <= 0) {
30
+                         safefree (header);
31
+                         safefree (line);
32
+@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hash
33
+ 
34
+                 safefree (line);
35
+         }
36
++
37
++	/* if we get there, this is we reached MAX_HEADERS count.
38
++	   bail out with error */
39
++	safefree (header);
40
++	safefree (line);
41
++	return -1;
42
+ }
43
+ 
44
+ /*