Fix DoS bug on headers parser, bug #472400, CVE-2013-3843

(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0xF52D4BBA)
author: Anthony G. Basile <blueness@gentoo.org> 2013-06-05 20:45:45 +0000
committer: Anthony G. Basile <blueness@gentoo.org> 2013-06-05 20:45:45 +0000
commit: 3e7be07de9d4e4d0667454a337ed3e18eba77b5e (patch)
tree: 1814f0a9d1dc9fc1d811f7f1c4b89aca0f38b4ba /www-servers/monkeyd
parent: Update patch, bug 472348 (diff)
download: gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.tar.gz
gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.tar.bz2
gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.zip
3 files changed, 141 insertions, 3 deletions
diff --git a/www-servers/monkeyd/ChangeLog b/www-servers/monkeyd/ChangeLog
index 296dc40eb0ba..408283f8d8f3 100644
--- a/www-servers/monkeyd/ChangeLog
+++ b/www-servers/monkeyd/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for www-servers/monkeyd
 # Copyright 1999- Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.55 2013/06/02 13:03:56 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.56 2013/06/05 20:45:45 blueness Exp $
+
+  05 Jun 2013; Anthony G. Basile <blueness@gentoo.org>
+  +files/monkeyd-fix-DoS-headers-parser.patch, monkeyd-1.2.0.ebuild:
+  Fix DoS bug on headers parser, bug #472400, CVE-2013-3843
 
   02 Jun 2013; Anthony G. Basile <blueness@gentoo.org> monkeyd-1.2.0.ebuild:
   Almost everyone will need liana, so turn it on by default
diff --git a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
new file mode 100644
index 000000000000..db0e111dab00
--- /dev/null
+++ b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
@@ -0,0 +1,131 @@
+From 95d646e5de252bfaa8b68c39d0f48e5d82965d41 Mon Sep 17 00:00:00 2001
+From: Eduardo Silva <edsiper@gmail.com>
+Date: Wed, 5 Jun 2013 12:18:39 -0600
+Subject: [PATCH] Fix #182: DoS bug on headers parser
+
+This patch fix the root cause for a problem described in Ticket #182,
+actually if a header is malformed like a Header Key without a value, the
+ToC parser used to continue processing the next header line.
+
+The solution applied is to improve the ToC generator where it adds extra
+validations for at least one colon and forcing each header line to contain
+a value or empty space, otherwise the server will trigger a Bad Request
+response to the client and close the connection.
+
+Signed-off-by: Eduardo Silva <edsiper@gmail.com>
+---
+ src/mk_method.c  |   11 ++++++++++-
+ src/mk_request.c |   36 +++++++++++++++++++++++++++++-------
+ 2 files changed, 39 insertions(+), 8 deletions(-)
+
+diff --git a/src/mk_method.c b/src/mk_method.c
+index 4a0698a..b35e893 100644
+--- a/src/mk_method.c
++++ b/src/mk_method.c
+@@ -45,16 +45,25 @@
+ 
+ long int mk_method_validate_content_length(const char *body, int body_len)
+ {
++    int crlf;
+     struct headers_toc toc;
+     long int len;
+     mk_pointer tmp;
+ 
++    crlf = mk_string_search(body, MK_CRLF, MK_STR_INSENSITIVE);
++    if (crlf < 0) {
++        return -1;
++    }
++
+     /*
+      * obs: Table of Content (toc) is created when the full
+      * request has arrived, this function cannot be used from
+      * mk_http_pending_request().
+      */
+-    mk_request_header_toc_parse(&toc, body, body_len);
++    if (mk_request_header_toc_parse(&toc, body + crlf + mk_crlf.len,
++                                    body_len - mk_crlf.len - crlf) < 0) {
++        return -1;
++    }
+     tmp = mk_request_header_get(&toc,
+                                 mk_rh_content_length.data,
+                                 mk_rh_content_length.len);
+diff --git a/src/mk_request.c b/src/mk_request.c
+index 5c1f07e..083aba8 100644
+--- a/src/mk_request.c
++++ b/src/mk_request.c
+@@ -121,13 +121,32 @@ static void mk_request_free(struct session_request *sr)
+ 
+ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int len)
+ {
+-    int i;
++    int i = 0;
++    int header_len;
++    int colon;
++    char *q;
+     char *p = (char *) data;
+-    char *l = 0;
++    char *l = p;
+ 
+     toc->length = 0;
++
++    if (*p == '\r') goto out;
+     for (i = 0; l < (data + len) && p && i < MK_HEADERS_TOC_LEN; i++) {
+-        l = strstr(p, MK_CRLF);
++        if (*p == '\r') goto out;
++
++        colon = -1;
++        for (q = p; *q != '\r'; ++q) {
++            if (*q == ':') {
++                colon = (q - p);
++            }
++        }
++
++        l          = (q);
++        header_len = (l - p) - mk_crlf.len;
++        if ((colon == -1) || (header_len == colon) || (*++q != '\n')) {
++            return -1;
++        }
++
+         if (l) {
+             toc->rows[i].init = p;
+             toc->rows[i].end = l;
+@@ -140,6 +159,7 @@ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int l
+         }
+     }
+ 
++ out:
+     return toc->length;
+ }
+ 
+@@ -237,13 +257,15 @@ static int mk_request_header_process(struct session_request *sr)
+ 
+     /* Creating Table of Content (index) for HTTP headers */
+     sr->headers_len = sr->body.len - (prot_end + mk_crlf.len);
+-    mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len);
++    if (mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len) < 0) {
++        MK_TRACE("Invalid headers");
++        return -1;
++    }
+ 
+     /* Host */
+     host = mk_request_header_get(&sr->headers_toc,
+                                  mk_rh_host.data,
+                                  mk_rh_host.len);
+-
+     if (host.data) {
+         if ((pos_sep = mk_string_char_search_r(host.data, ':', host.len)) >= 0) {
+             /* TCP port should not be higher than 65535 */
+@@ -321,8 +343,8 @@ static int mk_request_header_process(struct session_request *sr)
+             sr->keep_alive = MK_TRUE;
+             sr->close_now = MK_FALSE;
+         }
+-        else if(mk_string_search_n(sr->connection.data, "Close",
+-                                   MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
++        else if (mk_string_search_n(sr->connection.data, "Close",
++                                    MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
+             sr->keep_alive = MK_FALSE;
+             sr->close_now = MK_TRUE;
+         }
+-- 
+1.7.4.1
+
diff --git a/www-servers/monkeyd/monkeyd-1.2.0.ebuild b/www-servers/monkeyd/monkeyd-1.2.0.ebuild
index 2d256a961977..4becd232e307 100644
--- a/www-servers/monkeyd/monkeyd-1.2.0.ebuild
+++ b/www-servers/monkeyd/monkeyd-1.2.0.ebuild
@@ -1,10 +1,10 @@
 # Copyright 1999- Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0.ebuild,v 1.4 2013/06/02 13:03:56 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0.ebuild,v 1.5 2013/06/05 20:45:45 blueness Exp $
 
 EAPI="5"
 
-inherit toolchain-funcs depend.php multilib
+inherit toolchain-funcs depend.php multilib eutils
 
 MY_P="${PN/d}-${PV}"
 DESCRIPTION="A small, fast, and scalable web server"
@@ -42,6 +42,9 @@ pkg_setup() {
 }
 
 src_prepare() {
+	# Fixes security issue, bug #472400, CVE-2013-3843
+	epatch "${FILESDIR}"/${PN}-fix-DoS-headers-parser.patch
+
 	# Don't install the banana script, we use ${FILESDIR}/monkeyd.initd instead
 	sed -i '/Creating bin\/banana/d' configure || die "No configure file"
 	sed -i '/create_banana_script bindir/d' configure || die "No configure file"
author	Anthony G. Basile <blueness@gentoo.org>	2013-06-05 20:45:45 +0000
committer	Anthony G. Basile <blueness@gentoo.org>	2013-06-05 20:45:45 +0000
commit	3e7be07de9d4e4d0667454a337ed3e18eba77b5e (patch)
tree	1814f0a9d1dc9fc1d811f7f1c4b89aca0f38b4ba /www-servers/monkeyd
parent	Update patch, bug 472348 (diff)
download	gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.tar.gz gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.tar.bz2 gentoo-2-3e7be07de9d4e4d0667454a337ed3e18eba77b5e.zip