From fee07fe2d4bf559f6e849a00581e2fc4553da95c Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Sat, 18 Sep 2021 11:52:54 +0800 Subject: [PATCH] fix CVE-2021-40346 --- CVE-2021-40346.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++ haproxy.spec | 7 ++++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-40346.patch diff --git a/CVE-2021-40346.patch b/CVE-2021-40346.patch new file mode 100644 index 0000000..5f035bf --- /dev/null +++ b/CVE-2021-40346.patch @@ -0,0 +1,65 @@ +From 86f4f281efb933900ebcc4fdaef95f566382d907 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 26 Aug 2021 16:23:37 +0200 +Subject: BUG/MAJOR: htx: fix missing header name length check in + htx_add_header/trailer + +Shachar Menashe for JFrog Security reported that htx_add_header() and +htx_add_trailer() were missing a length check on the header name. While +this does not allow to overwrite any memory area, it results in bits of +the header name length to slip into the header value length and may +result in forging certain header names on the input. The sad thing here +is that a FIXME comment was present suggesting to add the required length +checks :-( + +The injected headers are visible to the HTTP internals and to the config +rules, so haproxy will generally stay synchronized with the server. But +there is one exception which is the content-length header field, because +it is already deduplicated on the input, but before being indexed. As +such, injecting a content-length header after the deduplication stage +may be abused to present a different, shorter one on the other side and +help build a request smuggling attack, or even maybe a response splitting +attack. + +As a mitigation measure, it is sufficient to verify that no more than +one such header is present in any message, which is normally the case +thanks to the duplicate checks: + + http-request deny if { req.hdr_cnt(content-length) gt 1 } + http-response deny if { res.hdr_cnt(content-length) gt 1 } + +This must be backported to all HTX-enabled versions, hence as far as 2.0. +In 2.3 and earlier, the functions are in src/htx.c instead. + +Many thanks to Shachar for his work and his responsible report! + +[wt: code is in src/htx.c in 2.3 and older] +Signed-off-by: Willy Tarreau +--- + src/htx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/src/htx.c ++++ b/src/htx.c +@@ -859,7 +859,9 @@ struct htx_blk *htx_add_header(struct ht + { + struct htx_blk *blk; + +- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */ ++ if (name.len > 255 || value.len > 1048575) ++ return NULL; ++ + blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len); + if (!blk) + return NULL; +@@ -878,7 +880,9 @@ struct htx_blk *htx_add_trailer(struct h + { + struct htx_blk *blk; + +- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */ ++ if (name.len > 255 || value.len > 1048575) ++ return NULL; ++ + blk = htx_add_blk(htx, HTX_BLK_TLR, name.len + value.len); + if (!blk) + return NULL; diff --git a/haproxy.spec b/haproxy.spec index c4dc999..6ef2205 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.2.16 -Release: 1 +Release: 2 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -16,6 +16,8 @@ Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig +Patch0001: CVE-2021-40346.patch + BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic Requires(pre): shadow-utils Requires(post): systemd @@ -120,6 +122,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Sat Sep 18 yaoxin - 2.2.16-2 +- Fix CVE-2021-40346 + * Mon Aug 30 yaoxin - 2.2.16-1 - Upgrade 2.2.16 to fix CVE-2021-39240 -- Gitee