You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
3.0 KiB
83 lines
3.0 KiB
5 years ago
|
From 05da7fb51cda374ae351829f67018924f931f18b Mon Sep 17 00:00:00 2001
|
||
|
From: Sergio Correia <scorreia@redhat.com>
|
||
|
Date: Tue, 18 Feb 2020 09:10:18 -0300
|
||
|
Subject: [PATCH] CVE-2018-12121
|
||
|
|
||
|
---
|
||
|
http_parser.c | 15 +++++++++++----
|
||
|
http_parser.h | 3 +++
|
||
|
2 files changed, 14 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/http_parser.c b/http_parser.c
|
||
|
index f9991c3..aef4437 100644
|
||
|
--- a/http_parser.c
|
||
|
+++ b/http_parser.c
|
||
|
@@ -25,6 +25,8 @@
|
||
|
#include <string.h>
|
||
|
#include <limits.h>
|
||
|
|
||
|
+static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE;
|
||
|
+
|
||
|
#ifndef ULLONG_MAX
|
||
|
# define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */
|
||
|
#endif
|
||
|
@@ -137,20 +139,20 @@ do { \
|
||
|
} while (0)
|
||
|
|
||
|
/* Don't allow the total size of the HTTP headers (including the status
|
||
|
- * line) to exceed HTTP_MAX_HEADER_SIZE. This check is here to protect
|
||
|
+ * line) to exceed max_header_size. This check is here to protect
|
||
|
* embedders against denial-of-service attacks where the attacker feeds
|
||
|
* us a never-ending header that the embedder keeps buffering.
|
||
|
*
|
||
|
* This check is arguably the responsibility of embedders but we're doing
|
||
|
* it on the embedder's behalf because most won't bother and this way we
|
||
|
- * make the web a little safer. HTTP_MAX_HEADER_SIZE is still far bigger
|
||
|
+ * make the web a little safer. max_header_size is still far bigger
|
||
|
* than any reasonable request or response so this should never affect
|
||
|
* day-to-day operation.
|
||
|
*/
|
||
|
#define COUNT_HEADER_SIZE(V) \
|
||
|
do { \
|
||
|
parser->nread += (V); \
|
||
|
- if (UNLIKELY(parser->nread > (HTTP_MAX_HEADER_SIZE))) { \
|
||
|
+ if (UNLIKELY(parser->nread > (max_header_size))) { \
|
||
|
SET_ERRNO(HPE_HEADER_OVERFLOW); \
|
||
|
goto error; \
|
||
|
} \
|
||
|
@@ -1471,7 +1473,7 @@ reexecute:
|
||
|
const char* p_lf;
|
||
|
size_t limit = data + len - p;
|
||
|
|
||
|
- limit = MIN(limit, HTTP_MAX_HEADER_SIZE);
|
||
|
+ limit = MIN(limit, max_header_size);
|
||
|
|
||
|
p_cr = (const char*) memchr(p, CR, limit);
|
||
|
p_lf = (const char*) memchr(p, LF, limit);
|
||
|
@@ -2438,3 +2440,8 @@ http_parser_version(void) {
|
||
|
HTTP_PARSER_VERSION_MINOR * 0x00100 |
|
||
|
HTTP_PARSER_VERSION_PATCH * 0x00001;
|
||
|
}
|
||
|
+
|
||
|
+void
|
||
|
+http_parser_set_max_header_size(uint32_t size) {
|
||
|
+ max_header_size = size;
|
||
|
+}
|
||
|
diff --git a/http_parser.h b/http_parser.h
|
||
|
index 1fbf30e..ea7bafe 100644
|
||
|
--- a/http_parser.h
|
||
|
+++ b/http_parser.h
|
||
|
@@ -427,6 +427,9 @@ void http_parser_pause(http_parser *parser, int paused);
|
||
|
/* Checks if this is the final chunk of the body. */
|
||
|
int http_body_is_final(const http_parser *parser);
|
||
|
|
||
|
+/* Change the maximum header size provided at compile time. */
|
||
|
+void http_parser_set_max_header_size(uint32_t size);
|
||
|
+
|
||
|
#ifdef __cplusplus
|
||
|
}
|
||
|
#endif
|
||
|
--
|
||
|
2.18.2
|
||
|
|