File libproxy-CVE-2020-25219.patch of Package libproxy-plugins

Overview Repositories Revisions Requests Users Attributes Meta

File libproxy-CVE-2020-25219.patch of Package libproxy-plugins

From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive

This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.

Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.

Fixes #134
---
diff -urp libproxy-0.4.13.orig/libproxy/url.cpp libproxy-0.4.13/libproxy/url.cpp
--- libproxy-0.4.13.orig/libproxy/url.cpp	2016-04-28 12:04:41.000000000 -0500
+++ libproxy-0.4.13/libproxy/url.cpp	2020-09-30 16:37:53.633522797 -0500
@@ -34,6 +34,7 @@
 #include <sys/stat.h> // For stat()
 #include <algorithm> // For transform()
 #include <unistd.h>  // For read() close()
+#include <errno.h>
 
 #ifdef WIN32
 #include <io.h>
@@ -53,6 +54,8 @@ using namespace std;
 
 // This is the maximum pac size (to avoid memory attacks)
 #define PAC_MAX_SIZE 102400
+// This is the default block size to use when receiving via HTTP
+#define PAC_HTTP_BLOCK_SIZE 512
 
 static inline int get_default_port(string scheme) {
 	struct servent *serv;
@@ -370,16 +373,24 @@ string url::to_string() const {
 	return m_orig;
 }
 
-static inline string recvline(int fd) {
-	// Read a character.
-	// If we don't get a character, return empty string.
-	// If we are at the end of the line, return empty string.
-	char c = '\0';
-	
-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')
-		return "";
+static string recvline(int fd) {
+	string line;
+	int ret;
+
+	// Reserve arbitrary amount of space to avoid small memory reallocations.
+	line.reserve(128);
+
+	do {
+		char c;
+		ret = recv(fd, &c, 1, 0);
+		if (ret == 1) {
+			if (c == '\n')
+				return line;
+			line += c;
+		}
+	} while (ret == 1 || (ret == -1 && errno == EINTR));
 
-	return string(1, c) + recvline(fd);
+	return line;
 }
 
 char* url::get_pac() {
Only in libproxy-0.4.13/libproxy: url.cpp.orig

Places

File libproxy-CVE-2020-25219.patch of Package libproxy-plugins

Places