Browse Source

tinyproxy: fix CVE-2012-3505

Signed-off-by: Steven Barth <steven@midlink.org>
lilik-openwrt-22.03
Steven Barth 11 years ago
parent
commit
3ed912434f
3 changed files with 146 additions and 1 deletions
  1. +1
    -1
      net/tinyproxy/Makefile
  2. +101
    -0
      net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch
  3. +44
    -0
      net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch

+ 1
- 1
net/tinyproxy/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=tinyproxy PKG_NAME:=tinyproxy
PKG_VERSION:=1.8.3 PKG_VERSION:=1.8.3
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.banu.com/pub/tinyproxy/1.8/ PKG_SOURCE_URL:=http://www.banu.com/pub/tinyproxy/1.8/


+ 101
- 0
net/tinyproxy/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch View File

@ -0,0 +1,101 @@
--- a/src/child.c
+++ b/src/child.c
@@ -20,6 +20,9 @@
* processing incoming connections.
*/
+#include <stdlib.h>
+#include <time.h>
+
#include "main.h"
#include "child.h"
@@ -196,6 +199,7 @@ static void child_main (struct child_s *
}
ptr->connects = 0;
+ srand(time(NULL));
while (!config.quit) {
ptr->status = T_WAITING;
--- a/src/hashmap.c
+++ b/src/hashmap.c
@@ -25,6 +25,8 @@
* don't try to free the data, or realloc the memory. :)
*/
+#include <stdlib.h>
+
#include "main.h"
#include "hashmap.h"
@@ -50,6 +52,7 @@ struct hashbucket_s {
};
struct hashmap_s {
+ uint32_t seed;
unsigned int size;
hashmap_iter end_iterator;
@@ -65,7 +68,7 @@ struct hashmap_s {
*
* If any of the arguments are invalid a negative number is returned.
*/
-static int hashfunc (const char *key, unsigned int size)
+static int hashfunc (const char *key, unsigned int size, uint32_t seed)
{
uint32_t hash;
@@ -74,7 +77,7 @@ static int hashfunc (const char *key, un
if (size == 0)
return -ERANGE;
- for (hash = tolower (*key++); *key != '\0'; key++) {
+ for (hash = seed; *key != '\0'; key++) {
uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
hash >>= 1;
@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int n
if (!ptr)
return NULL;
+ ptr->seed = (uint32_t)rand();
ptr->size = nbuckets;
ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
sizeof (struct
@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const cha
if (!data || len < 1)
return -ERANGE;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, c
if (map == NULL || key == NULL)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t
if (!map || !key || !data)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, c
if (map == NULL || key == NULL)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;

+ 44
- 0
net/tinyproxy/patches/CVE-2012-3505-tinyproxy-limit-headers.patch View File

@ -0,0 +1,44 @@
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hash
return hashmap_insert (hashofheaders, header, sep, len);
}
+/* define max number of headers. big enough to handle legitimate cases,
+ * but limited to avoid DoS
+ */
+#define MAX_HEADERS 10000
+
/*
* Read all the headers from the stream
*/
@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hash
{
char *line = NULL;
char *header = NULL;
+ int count;
char *tmp;
ssize_t linelen;
ssize_t len = 0;
@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hash
assert (fd >= 0);
assert (hashofheaders != NULL);
- for (;;) {
+ for (count = 0; count < MAX_HEADERS; count++) {
if ((linelen = readline (fd, &line)) <= 0) {
safefree (header);
safefree (line);
@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hash
safefree (line);
}
+
+ /* if we get there, this is we reached MAX_HEADERS count.
+ bail out with error */
+ safefree (header);
+ safefree (line);
+ return -1;
}
/*

Loading…
Cancel
Save