LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12623 Commits
1 Branch
46 MiB
Tree: 717423d280
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '717423d280'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0040-BUG-MEDIUM-auth-thread...

77 lines
2.5 KiB
Raw Normal View History

haproxy: Update all patches for HAProxy v1.8.14 - Add new patches (see https://www.haproxy.org/bugs/bugs-1.8.14.html) - Raise PKG_RELEASE to 4 Signed-off-by: Christian Lachner <gladiac@gmail.com>
6 years ago
 
  1. commit a873c161d251abd025008034c0ddef8cd7f39511
  2. Author: Willy Tarreau <w@1wt.eu>
  3. Date:   Mon Oct 29 18:02:54 2018 +0100
  4. 

  5.     BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe
  6.     
  7.     It was reported here that authentication may fail when threads are
  8.     enabled :
  9.     
  10.         https://bugzilla.redhat.com/show_bug.cgi?id=1643941
  11.     
  12.     While I couldn't reproduce the issue, it's obvious that there is a
  13.     problem with the use of the non-reentrant crypt() function there.
  14.     On Linux systems there's crypt_r() but not on the vast majority of
  15.     other ones. Thus a first approach consists in placing a lock around
  16.     this crypt() call. Another patch may relax it when crypt_r() is
  17.     available.
  18.     
  19.     This fix must be backported to 1.8. Thanks to Ryan O'Hara for the
  20.     quick notification.
  21.     
  22.     (cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2)
  23.     Signed-off-by: Willy Tarreau <w@1wt.eu>
  24. 

  25. diff --git a/include/common/hathreads.h b/include/common/hathreads.h

  26. index 44bd66d1..24fb1d1a 100644

  27. --- a/include/common/hathreads.h

  28. +++ b/include/common/hathreads.h

  29. @@ -373,6 +373,7 @@ enum lock_label {

  30.  	START_LOCK,
  31.  	TLSKEYS_REF_LOCK,
  32.  	PENDCONN_LOCK,
  33. +	AUTH_LOCK,

  34.  	LOCK_LABELS
  35.  };
  36.  struct lock_stat {
  37. @@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label)

  38.  	case START_LOCK:           return "START";
  39.  	case TLSKEYS_REF_LOCK:     return "TLSKEYS_REF";
  40.  	case PENDCONN_LOCK:        return "PENDCONN";
  41. +	case AUTH_LOCK:            return "AUTH";

  42.  	case LOCK_LABELS:          break; /* keep compiler happy */
  43.  	};
  44.  	/* only way to come here is consecutive to an internal bug */
  45. diff --git a/src/auth.c b/src/auth.c

  46. index a2c689f7..e0fb1352 100644

  47. --- a/src/auth.c

  48. +++ b/src/auth.c

  49. @@ -28,6 +28,7 @@

  50.  #include <types/global.h>
  51.  #include <common/config.h>
  52.  #include <common/errors.h>
  53. +#include <common/hathreads.h>

  54.  
  55.  #include <proto/acl.h>
  56.  #include <proto/log.h>
  57. @@ -37,6 +38,10 @@

  58.  
  59.  struct userlist *userlist = NULL;    /* list of all existing userlists */
  60.  
  61. +#ifdef CONFIG_HAP_CRYPT

  62. +__decl_hathreads(static HA_SPINLOCK_T auth_lock);

  63. +#endif

  64. +

  65.  /* find targets for selected gropus. The function returns pointer to
  66.   * the userlist struct ot NULL if name is NULL/empty or unresolvable.
  67.   */
  68. @@ -245,7 +250,9 @@ check_user(struct userlist *ul, const char *user, const char *pass)

  69.  
  70.  	if (!(u->flags & AU_O_INSECURE)) {
  71.  #ifdef CONFIG_HAP_CRYPT
  72. +		HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);

  73.  		ep = crypt(pass, u->pass);
  74. +		HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);

  75.  #else
  76.  		return 0;
  77.  #endif