head 1.2; access; symbols pkgsrc-2020Q3:1.1.0.10 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.8 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.4 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.6 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2020.12.02.16.30.50; author ast; state dead; branches; next 1.1; commitid h7VONPUpNMiXFbyC; 1.1 date 2019.10.20.20.02.13; author ast; state Exp; branches 1.1.2.1; next ; commitid ihPU96VKiS2AZDHB; 1.1.2.1 date 2019.10.20.20.02.13; author bsiegert; state dead; branches; next 1.1.2.2; commitid PzALRi32egn9YQHB; 1.1.2.2 date 2019.10.22.11.07.30; author bsiegert; state Exp; branches; next ; commitid PzALRi32egn9YQHB; desc @@ 1.2 log @www/nostromo: update to nostromo 1.9.9; patches not needed anymore @ text @$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $ The function http_header_comp() should return the number of received headers, not only 0 on fail or 1 on success. Without this functionality, one could send more than the default of 16 headers and overflow the header array to craft a DoS as shown in nostromo CVE-2019-16279. This patch adds the missing header count functionality to the function http_header_comp(). --- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 +++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 @@@@ -1074,21 +1074,21 @@@@ * http_header_comp() * check if received headers arrived complete * Return: - * 0 = headers not complete, 1 = headers complete + * 0 = headers not complete, = headers complete */ int http_header_comp(char *header, const int len) { - int r; - char *p, *end; + int i, headers; + char *p; - r = 0; + headers = 0; /* check header for minimum size */ if (len < 4) return (0); - /* post */ + /* post header */ if (!strncasecmp("POST", header, 4)) { p = header; if ((p = strstr(p, "\r\n\r\n")) == NULL) @@@@ -1097,12 +1097,19 @@@@ return (1); } - /* any header */ - end = header + (len - 4); - if (!strcmp(end, "\r\n\r\n")) - r = 1; + /* any other header */ + for (i = 0; i < len; i++) { + if (header[i] == '\r') { + if ((len - i) < 4) + break; + if (!strncmp(&header[i], "\r\n\r\n", 4)) { + headers++; + i += 3; + } + } + } - return (r); + return (headers); } /* @ 1.1 log @www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279 @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-http_header_comp was added on branch pkgsrc-2019Q3 on 2019-10-22 11:07:30 +0000 @ text @d1 66 @ 1.1.2.2 log @Pullup ticket #6073 - requested by ast www/nostromo: security fix Revisions pulled up: - www/nostromo/Makefile 1.3 - www/nostromo/PLIST 1.2 - www/nostromo/distinfo 1.2 - www/nostromo/patches/patch-http_header_comp 1.1 - www/nostromo/patches/patch-strcutl 1.1 --- Module Name: pkgsrc Committed By: ast Date: Sun Oct 20 20:02:14 UTC 2019 Modified Files: pkgsrc/www/nostromo: Makefile PLIST distinfo Added Files: pkgsrc/www/nostromo/patches: patch-http_header_comp patch-strcutl Log Message: www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279 @ text @a0 66 $NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $ The function http_header_comp() should return the number of received headers, not only 0 on fail or 1 on success. Without this functionality, one could send more than the default of 16 headers and overflow the header array to craft a DoS as shown in nostromo CVE-2019-16279. This patch adds the missing header count functionality to the function http_header_comp(). --- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 +++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 @@@@ -1074,21 +1074,21 @@@@ * http_header_comp() * check if received headers arrived complete * Return: - * 0 = headers not complete, 1 = headers complete + * 0 = headers not complete, = headers complete */ int http_header_comp(char *header, const int len) { - int r; - char *p, *end; + int i, headers; + char *p; - r = 0; + headers = 0; /* check header for minimum size */ if (len < 4) return (0); - /* post */ + /* post header */ if (!strncasecmp("POST", header, 4)) { p = header; if ((p = strstr(p, "\r\n\r\n")) == NULL) @@@@ -1097,12 +1097,19 @@@@ return (1); } - /* any header */ - end = header + (len - 4); - if (!strcmp(end, "\r\n\r\n")) - r = 1; + /* any other header */ + for (i = 0; i < len; i++) { + if (header[i] == '\r') { + if ((len - i) < 4) + break; + if (!strncmp(&header[i], "\r\n\r\n", 4)) { + headers++; + i += 3; + } + } + } - return (r); + return (headers); } /* @