diff --git a/backport-ssl-do-not-trigger-EOF-if-some-data-had-been-successf.patch b/backport-ssl-do-not-trigger-EOF-if-some-data-had-been-successf.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf65807beb8937a725b46a882eb3a496dd8a1e5b --- /dev/null +++ b/backport-ssl-do-not-trigger-EOF-if-some-data-had-been-successf.patch @@ -0,0 +1,44 @@ +From 7652cf4068f77905a56b9165455ec7e90917ec31 Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Sun, 14 May 2023 16:53:13 +0200 +Subject: [PATCH] ssl: do not triger EOF if some data had been successfully +read + +Reference:https://github.com/libevent/libevent/commit/ef51444f439b922c8fb00c7ef3f8482b6400b6ea +https://github.com/libevent/libevent/commit/49a7ae4c5668ebad7b6c4618664224c1a0bc5079 +https://github.com/libevent/libevent/commit/7652cf4068f77905a56b9165455ec7e90917ec31 + +Previously in case when evbuffer_reserve_space() returns > 1, but +it was able to read only 1 IO vector, it will try to read the next one, +got 0 (EOF for mbedTLS or SSL_ERROR_ZERO_RETURN for OpenSSL) and will +trigger EOF, while instead, it should trigger EV_READ w/o EOF and only +after EOF. +--- + bufferevent_openssl.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c +index b51b834..8b4b655 100644 +--- a/bufferevent_openssl.c ++++ b/bufferevent_openssl.c +@@ -616,6 +616,17 @@ do_read(struct bufferevent_openssl *bev_ssl, int n_to_read) { + } else { + int err = SSL_get_error(bev_ssl->ssl, r); + print_err(err); ++ /* NOTE: we ignore the error in case of some progress was done, ++ * because currently we do not send close_notify, and this will ++ * lead to error from SSL_read() (it will return 0, and ++ * SSL_get_error() will return SSL_ERROR_SSL), and this is because ++ * of lack of close_notify ++ * ++ * But AFAICS some code uses it the same way (i.e. nginx) */ ++ if (result & OP_MADE_PROGRESS) { ++ /* Process existing data */ ++ break; ++ } + switch (err) { + case SSL_ERROR_WANT_READ: + /* Can't read until underlying has more data. */ +-- +2.27.0 + diff --git a/libevent.spec b/libevent.spec index 774c38eb353077e994f7d5cc235a50bd8cfcc5b4..0d4cf0da5efed4bb717a1f8bef12a8e6cbb3ced5 100644 --- a/libevent.spec +++ b/libevent.spec @@ -1,6 +1,6 @@ Name: libevent Version: 2.1.12 -Release: 5 +Release: 6 Summary: An event notification library License: BSD @@ -11,6 +11,7 @@ BuildRequires: gcc doxygen openssl-devel Patch0: libevent-nonettests.patch Patch1: http-add-callback-to-allow-server-to-decline-and-the.patch +Patch6000: backport-ssl-do-not-trigger-EOF-if-some-data-had-been-successf.patch %description Libevent additionally provides a sophisticated framework for buffered network IO, with support for sockets, @@ -83,6 +84,12 @@ EOF %changelog +* Sat Jul 29 2023 shixuantong - 2.1.12-6 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:ssl: do not trigger EOF if some data had been successfully read + * Thu Oct 27 2022 dongyuzhen - 2.1.12-5 - Type:bugfix - CVE:NA