packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to httpd-2.4.58

Browse Source
This commit is contained in:
xietangxin 2024-01-29 08:49:17 +00:00
parent e4d04ae9eb
commit f478188b58
9 changed files with 8 additions and 645 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
backport-CVE-2023-25690.patch
View File

@ -1,205 +0,0 @@
From d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 Mon Sep 17 00:00:00 2001
From: covener <covener@apache.org>
Date: Mon, 6 Mar 2023 4:27:31 AM GMT+0800
Subject: [PATCH] don't forward invalid query strings
Conflict:NA
Reference:https://github.com/apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51
---
modules/http2/mod_proxy_http2.c | 14 ++++++++++++++
modules/mappers/mod_rewrite.c | 22 ++++++++++++++++++++++
modules/proxy/mod_proxy_ajp.c | 14 ++++++++++++++
modules/proxy/mod_proxy_balancer.c | 14 ++++++++++++++
modules/proxy/mod_proxy_http.c | 14 ++++++++++++++
modules/proxy/mod_proxy_wstunnel.c | 14 ++++++++++++++
6 files changed, 92 insertions(+)
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index 3faf034..b316aa8 100644
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -154,10 +154,24 @@ static int proxy_http2_canon(request_rec *r, char *url)
if (apr_table_get(r->notes, "proxy-nocanon")) {
path = url; /* this is the raw path */
}
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
+ path = url; /* this is the encoded path already */
+ search = r->args;
+ }
else {
path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
enc_path, 0, r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
break;
case PROXYREQ_PROXY:
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 9439965..f6398f1 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4729,6 +4729,17 @@ static int hook_uri2file(request_rec *r)
unsigned skip;
apr_size_t flen;
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
+
if (ACTION_STATUS == rulestatus) {
int n = r->status;
@@ -5013,6 +5024,17 @@ static int hook_fixup(request_rec *r)
if (rulestatus) {
unsigned skip;
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
+ "Rewritten query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
+
if (ACTION_STATUS == rulestatus) {
int n = r->status;
diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index 1449aca..aa3441a 100644
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -65,10 +65,24 @@ static int proxy_ajp_canon(request_rec *r, char *url)
if (apr_table_get(r->notes, "proxy-nocanon")) {
path = url; /* this is the raw path */
}
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
+ path = url; /* this is the encoded path already */
+ search = r->args;
+ }
else {
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
index f6fb634..de5ac8a 100644
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -102,10 +102,24 @@ static int proxy_balancer_canon(request_rec *r, char *url)
if (apr_table_get(r->notes, "proxy-nocanon")) {
path = url; /* this is the raw path */
}
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
+ path = url; /* this is the encoded path already */
+ search = r->args;
+ }
else {
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index ec4e7fb..85f16f2 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -121,10 +121,24 @@ static int proxy_http_canon(request_rec *r, char *url)
if (apr_table_get(r->notes, "proxy-nocanon")) {
path = url; /* this is the raw path */
}
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
+ path = url; /* this is the encoded path already */
+ search = r->args;
+ }
else {
path = ap_proxy_canonenc(r->pool, url, strlen(url),
enc_path, 0, r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
break;
case PROXYREQ_PROXY:
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
index bcbba42..16502e2 100644
--- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c
@@ -110,10 +110,24 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
if (apr_table_get(r->notes, "proxy-nocanon")) {
path = url; /* this is the raw path */
}
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
+ path = url; /* this is the encoded path already */
+ search = r->args;
+ }
else {
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
if (path == NULL)
return HTTP_BAD_REQUEST;
--
2.27.0

104
backport-CVE-2023-27522.patch
View File

@ -1,104 +0,0 @@
From 0df5879df8f16b4101ea2365672178b4ae899e9e Mon Sep 17 00:00:00 2001
From: ylavic <ylavic@apache.org>
Date: Thu, 2 Mar 2023 11:10:54 PM GMT+0800
Subject: [PATCH] mod_proxy_uwsgi:Stricter backend HTTP response parsing/validation
Conflict:NA
Reference:https://github.com/apache/httpd/commit/0df5879df8f16b4101ea2365672178b4ae899e9e
---
modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 14 deletions(-)
diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index e02450e..92e153c 100644
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -307,18 +307,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
len = ap_getline(buffer, sizeof(buffer), rp, 1);
-
if (len <= 0) {
- /* oops */
+ /* invalid or empty */
return HTTP_INTERNAL_SERVER_ERROR;
}
-
backend->worker->s->read += len;
-
- if (len >= sizeof(buffer) - 1) {
- /* oops */
+ if ((apr_size_t)len >= sizeof(buffer)) {
+ /* too long */
return HTTP_INTERNAL_SERVER_ERROR;
}
+
/* Position of http status code */
if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
status_start = 9;
@@ -327,8 +325,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
status_start = 7;
}
else {
- /* oops */
- return HTTP_INTERNAL_SERVER_ERROR;
+ /* not HTTP */
+ return HTTP_BAD_GATEWAY;
}
status_end = status_start + 3;
@@ -348,21 +346,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
}
r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
- /* start parsing headers */
+ /* parse headers */
while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+ if ((apr_size_t)len >= sizeof(buffer)) {
+ /* too long */
+ len = -1;
+ break;
+ }
value = strchr(buffer, ':');
- /* invalid header skip */
- if (!value)
- continue;
- *value = '\0';
- ++value;
+ if (!value) {
+ /* invalid header */
+ len = -1;
+ break;
+ }
+ *value++ = '\0';
+ if (*ap_scan_http_token(buffer)) {
+ /* invalid name */
+ len = -1;
+ break;
+ }
while (apr_isspace(*value))
++value;
for (end = &value[strlen(value) - 1];
end > value && apr_isspace(*end); --end)
*end = '\0';
+ if (*ap_scan_http_field_content(value)) {
+ /* invalid value */
+ len = -1;
+ break;
+ }
apr_table_add(r->headers_out, buffer, value);
}
+ if (len < 0) {
+ /* Reset headers, but not to NULL because things below the chain expect
+ * this to be non NULL e.g. the ap_content_length_filter.
+ */
+ r->headers_out = apr_table_make(r->pool, 1);
+ return HTTP_BAD_GATEWAY;
+ }
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(r->pool, buf));
--
2.27.0

28
backport-CVE-2023-31122-out-of-bound-Read.patch
View File

@ -1,28 +0,0 @@
From c41eb3b14a3d1eb2e3c42c4728cc52a22748851a Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Mon, 16 Oct 2023 06:39:44 +0000
Subject: [PATCH] mod_macro: out of bounds Read
Conflict:NA
Reference:https://github.com/apache/httpd/commit/c41eb3b14a3d1eb2e3c42c4728cc52a22748851a
---
modules/core/mod_macro.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/core/mod_macro.c b/modules/core/mod_macro.c
index 04af43b..cc42d0b 100644
--- a/modules/core/mod_macro.c
+++ b/modules/core/mod_macro.c
@@ -465,7 +465,7 @@ static const char *process_content(apr_pool_t * pool,
for (i = 0; i < contents->nelts; i++) {
const char *errmsg;
/* copy the line and substitute macro parameters */
- strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1);
+ apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN);
errmsg = substitute_macro_args(line, MAX_STRING_LEN,
macro, replacements, used);
if (errmsg) {
--
2.23.0

134
backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch
View File

@ -1,134 +0,0 @@
From 582c533c1728459eef5f8ec1a64b81fb093b26a8 Mon Sep 17 00:00:00 2001
From: SteFan Eissing <icing@apache.org>
Date: Mon, 16 Oct 2023 06:18:30 +0000
Subject: [PATCH] mod_http2: fixed a bug in handling of stream timeouts.
Conflict:NA
Reference:https://github.com/apache/httpd/commit/582c533c1728459eef5f8ec1a64b81fb093b26a8
---
changes-entries/h2_stream_timeout.txt | 2 ++
modules/http2/h2_mplx.c | 25 +++++++++++++++++++++++++
modules/http2/h2_mplx.h | 5 +++++
modules/http2/h2_session.c | 10 +++++++++-
modules/http2/h2_stream.c | 8 ++++++++
modules/http2/h2_stream.h | 2 ++
6 files changed, 51 insertions(+), 1 deletion(-)
create mode 100644 changes-entries/h2_stream_timeout.txt
diff --git a/changes-entries/h2_stream_timeout.txt b/changes-entries/h2_stream_timeout.txt
new file mode 100644
index 0000000..ab39b42
--- /dev/null
+++ b/changes-entries/h2_stream_timeout.txt
@@ -0,0 +1,2 @@
+* mod_http2: fixed a bug in handing of stream timeouts.
+ [Stefan Eissing]
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index b4855af..e150cc3 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -394,6 +394,31 @@ apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx)
return APR_SUCCESS;
}
+typedef struct {
+ int stream_count;
+ int stream_want_send;
+} stream_iter_aws_t;
+
+static int m_stream_want_send_data(void *ctx, void *stream)
+{
+ stream_iter_aws_t *x = ctx;
+ ++x->stream_count;
+ if (h2_stream_wants_send_data(stream))
+ ++x->stream_want_send;
+ return 1;
+}
+
+int h2_mplx_c1_all_streams_want_send_data(h2_mplx *m)
+{
+ stream_iter_aws_t x;
+ x.stream_count = 0;
+ x.stream_want_send = 0;
+ H2_MPLX_ENTER(m);
+ h2_ihash_iter(m->streams, m_stream_want_send_data, &x);
+ H2_MPLX_LEAVE(m);
+ return x.stream_count && (x.stream_count == x.stream_want_send);
+}
+
static int m_report_stream_iter(void *ctx, void *val) {
h2_mplx *m = ctx;
h2_stream *stream = val;
diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h
index f565a09..730bb16 100644
--- a/modules/http2/h2_mplx.h
+++ b/modules/http2/h2_mplx.h
@@ -193,6 +193,11 @@ typedef int h2_mplx_stream_cb(struct h2_stream *s, void *userdata);
*/
apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx);
+/**
+ * Return != 0 iff all open streams want to send data
+ */
+int h2_mplx_c1_all_streams_want_send_data(h2_mplx *m)
+
/**
* A stream has been RST_STREAM by the client. Abort
* any processing going on and remove from processing
diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c
index f740373..8aeff3c 100644
--- a/modules/http2/h2_session.c
+++ b/modules/http2/h2_session.c
@@ -1931,7 +1931,15 @@ apr_status_t h2_session_process(h2_session *session, int async)
status = h2_mplx_c1_poll(session->mplx, session->s->timeout,
on_stream_input, on_stream_output, session);
if (APR_STATUS_IS_TIMEUP(status)) {
- if (session->open_streams == 0) {
+ /* If we timeout without streams open, no new request from client
+ * arrived.
+ * If we timeout without nghttp2 wanting to write something, bug
+ * all open streams have something to send, it means we are
+ * blocked on HTTP/2 flow control and the client did not send
+ * WINDOW_UPDATEs to us. */
+ if (session->open_stream == 0 ||
+ (!h2_session_want_send(session) &&
+ h2_mplx_c1_all_streams_want_send_data(session->m))) {
h2_session_dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, status, NULL);
break;
}
diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c
index 17e5d34..c81c3e4 100644
--- a/modules/http2/h2_stream.c
+++ b/modules/http2/h2_stream.c
@@ -1185,6 +1185,14 @@ int h2_stream_is_ready(h2_stream *stream)
return 0;
}
+int h2_stream_wants_send_data(h2_stream *stream)
+{
+ H2_STRM_ASSERT_MAGIC(stream, H2_STRM_MAGIC_OK);
+ return h2_stream_is_ready(stream) &&
+ ((stream->out_buffer && !APR_BRIGADE_EMPTY(stream->out_buffer)) ||
+ (stream->output && !h2_beam_empty(stream->output)));
+}
+
int h2_stream_is_at(const h2_stream *stream, h2_stream_state_t state)
{
return stream->state == state;
diff --git a/modules/http2/h2_stream.h b/modules/http2/h2_stream.h
index 695d56a..647ef2d 100644
--- a/modules/http2/h2_stream.h
+++ b/modules/http2/h2_stream.h
@@ -317,6 +317,8 @@ const char *h2_stream_state_str(const h2_stream *stream);
*/
int h2_stream_is_ready(h2_stream *stream);
+int h2_stream_wants_send_data(h2_stream *stream);
+
#define H2_STRM_MSG(s, msg) \
"h2_stream(%d-%lu-%d,%s): "msg, s->session->child_num, \
(unsigned long)s->session->id, s->id, h2_stream_state_str(s)
--
2.23.0

139
backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch
View File

@ -1,139 +0,0 @@
From decce82a706abd78dfc32821a03ad93841d7758a Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Mon, 16 Oct 2023 09:05:00 +0000
Subject: [PATCH] mod_http2: improved early cleanup of streams
Conflict:NA
Reference:https://github.com/apache/httpd/commit/decce82a706abd78dfc32821a03ad93841d7758a
---
changes-entries/h2_cleanup.txt | 2 ++
modules/http2/h2_mplx.c | 26 ++++++++++++++++++++++----
modules/http2/h2_mplx.h | 3 ++-
modules/http2/h2_session.c | 18 +++++++++++++++++-
modules/http2/h2_stream.c | 2 +-
5 files changed, 44 insertions(+), 7 deletions(-)
create mode 100644 changes-entries/h2_cleanup.txt
diff --git a/changes-entries/h2_cleanup.txt b/changes-entries/h2_cleanup.txt
new file mode 100644
index 0000000..305f24a
--- /dev/null
+++ b/changes-entries/h2_cleanup.txt
@@ -0,0 +1,2 @@
+* mod_http2: improved early cleanup of streams.
+ [Stefan Eissing]
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index 99c47ea..b4855af 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -1064,14 +1064,32 @@ static int reset_is_acceptable(h2_stream *stream)
return 1; /* otherwise, be forgiving */
}
-apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id)
+apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id, h2_stream * stream)
{
- h2_stream *stream;
apr_status_t status = APR_SUCCESS;
+ int registered;
H2_MPLX_ENTER_ALWAYS(m);
- stream = h2_ihash_get(m->streams, stream_id);
- if (stream && !reset_is_acceptable(stream)) {
+ registered = (h2_ihash_get(m->streams, stream_id) != NULL);
+ if (!stream) {
+ /* a RST might arrive so late, we have already forgotten
+ * about it. Seems ok. */
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1,
+ H2_MPLX_MSG(m, "RST on unknown stream %d"), stream_id);
+ AP_DEBUG_ASSERT(!registered);
+ }
+ else if (!registered) {
+ /* a RST on a stream that mplx has not been told about, but
+ * which the session knows. Very early and annoying. */
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1
+ H2_STRM_MSG(stream, "very early RST, drop"));
+ h2_stream_set_monitor(stream, NULL);
+ h2_stream_rst(stream, H2_ERR_STREAM_CLOSED);
+ h2_stream_dispatch(stream, H2_SEV_EOS_SENT);
+ m_stream_cleanup(m, stream);
+ m_be_annoyed(m);
+ }
+ else if (!reset_is_acceptable(stream)) {
m_be_annoyed(m);
}
H2_MPLX_LEAVE(m);
diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h
index 1f79aa8..f565a09 100644
--- a/modules/http2/h2_mplx.h
+++ b/modules/http2/h2_mplx.h
@@ -198,7 +198,8 @@ apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx)
* any processing going on and remove from processing
* queue.
*/
-apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id);
+apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id,
+ struct h2_stream *stream);
/**
* Get readonly access to a stream for a secondary connection.
diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c
index 7ba49cf..f740373 100644
--- a/modules/http2/h2_session.c
+++ b/modules/http2/h2_session.c
@@ -402,6 +402,10 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
H2_SSSN_STRM_MSG(session, frame->hd.stream_id,
"RST_STREAM by client, error=%d"),
(int)frame->rst_stream.error_code);
+ if (stream) {
+ rv = h2_stream_recv_frame(stream, NGHTTP2_RST_STREAM, frame->hd.flags,
+ frame->hd.length + H2_FRAME_HDR_LEN);
+ }
if (stream && stream->initiated_on) {
/* A stream reset on a request we sent it. Normal, when the
* client does not want it. */
@@ -410,7 +414,8 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
else {
/* A stream reset on a request it sent us. Could happen in a browser
* when the user navigates away or cancels loading - maybe. */
- h2_mplx_c1_client_rst(session->mplx, frame->hd.stream_id);
+ h2_mplx_c1_client_rst(session->mplx, frame->hd.stream_id,
+ stream);
}
++session->streams_reset;
break;
@@ -813,6 +818,17 @@ static apr_status_t session_cleanup(h2_session *session, const char *trigger)
"goodbye, clients will be confused, should not happen"));
}
+ if (!h2_iq_empty(session->ready_to_process)) {
+ int sid;
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ H2_SSSN_LOG(APLOG(), session,
+ "cleanup, resetting %d stream in ready-to-process"),
+ h2_iq_count(session->ready_to_process));
+ while ((sid = h2_iq_shift(session->ready_to_process)) > 0) {
+ h2_mplx_c1_client_rst(session->mplx, sid, get_stream(session, sid));
+ }
+ }
+
transit(session, trigger, H2_SESSION_ST_CLEANUP);
h2_mplx_c1_destroy(session->mplx);
session->mplx = NULL;
diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c
index cf6f798..17e5d34 100644
--- a/modules/http2/h2_stream.c
+++ b/modules/http2/h2_stream.c
@@ -125,7 +125,7 @@ static int trans_on_event[][H2_SS_MAX] = {
{ S_XXX, S_ERR, S_ERR, S_CL_L, S_CLS, S_XXX, S_XXX, S_XXX, },/* EV_CLOSED_L*/
{ S_ERR, S_ERR, S_ERR, S_CL_R, S_ERR, S_CLS, S_NOP, S_NOP, },/* EV_CLOSED_R*/
{ S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_NOP, S_NOP, },/* EV_CANCELLED*/
-{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_XXX, },/* EV_EOS_SENT*/
+{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_NOP, },/* EV_EOS_SENT*/
{ S_NOP, S_XXX, S_CLS, S_XXX, S_XXX, S_CLS, S_XXX, S_XXX, },/* EV_IN_ERROR*/
};
--
2.23.0

27
backport-fix-memory-leak-in-calc_sha256_hash.patch
View File

@ -1,27 +0,0 @@
From ff558f52f528dd21eb0a77de74d828e1459cdd62 Mon Sep 17 00:00:00 2001
From: Joe Orton <notroj@redhat.com>
Date: Fri, 7 Jul 2023 08:04:38 PM GMT+0800
Subject: [PATCH] fix memory leak in calc_sha256_hash
Conflict:NA
Reference:https://github.com/apache/httpd/commmit/ff558f52f528dd21eb0a77de74d828e1459cdd62
---
modules/http2/h2_push.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/http2/h2_push.c b/modules/http2/h2_push.c
index 462c470..dd0928b 100644
--- a/modules/http2/h2_push.c
+++ b/modules/http2/h2_push.c
@@ -502,6 +502,7 @@ static void calc_sha256_hash(h2_push_diary *diary, apr_uint64_t *phash, h2_push
sha256_update(md, push->req->authority);
sha256_update(md, push->req->path);
EVP_DigestFinal(md, hash, &len);
+ EVP_MD_CTX_destroy(md);
val = 0;
for (i = 0; i != len; ++i)
--
2.23.0

BIN
httpd-2.4.55.tar.bz2
View File

Binary file not shown.

BIN
httpd-2.4.58.tar.bz2 Normal file
View File

Binary file not shown.

16
httpd.spec
View File

@ -7,8 +7,8 @@
Name: httpd Name: httpd
Summary: Apache HTTP Server Summary: Apache HTTP Server
Version: 2.4.55 Version: 2.4.58
Release: 5 Release: 1
License: ASL 2.0 License: ASL 2.0
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -69,12 +69,6 @@ Patch15: backport-httpd-2.4.43-gettid.patch
Patch16: backport-httpd-2.4.43-r1861793+.patch Patch16: backport-httpd-2.4.43-r1861793+.patch
Patch17: backport-httpd-2.4.48-r1828172+.patch Patch17: backport-httpd-2.4.48-r1828172+.patch
Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch
Patch19: backport-CVE-2023-27522.patch
Patch20: backport-CVE-2023-25690.patch
Patch21: backport-fix-memory-leak-in-calc_sha256_hash.patch
Patch22: backport-CVE-2023-31122-out-of-bound-Read.patch
Patch23: backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch
Patch24: backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -511,6 +505,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Mon Jan 29 2024 chengyechun <chengyechun1@huawei.com> - 2.4.58-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:update to httpd-2.4.58
* Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 2.4.55-5 * Fri Nov 03 2023 chengyechun <chengyechun1@huawei.com> - 2.4.55-5
- Type:CVE - Type:CVE
- ID:CVE-2023-31122, CVE-2023-45802, CVE-2023-43622 - ID:CVE-2023-31122, CVE-2023-45802, CVE-2023-43622