From 08f598e2dfd61bcf45a96dea8982772124f55bd5 Mon Sep 17 00:00:00 2001
From: mayp <mayanping@ncti-gba.cn>
Date: Mon, 3 Apr 2023 11:02:49 +0800
Subject: [PATCH] fix CVE-2023-1108

Signed-off-by: mayp <mayanping@ncti-gba.cn>
---
 CVE-2023-1108.patch | 25 +++++++++++++++++++++++++
 undertow.spec       |  8 +++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-1108.patch

diff --git a/CVE-2023-1108.patch b/CVE-2023-1108.patch
new file mode 100644
index 0000000..b6a96e5
--- /dev/null
+++ b/CVE-2023-1108.patch
@@ -0,0 +1,25 @@
+From bf5516169cb201eac99957091a2b186c4dddd211 Mon Sep 17 00:00:00 2001
+From: mayp <mayanping@ncti-gba.cn>
+Date: Mon, 3 Apr 2023 10:52:03 +0800
+Subject: [PATCH] fix CVE-2023-1108
+
+---
+ core/src/main/java/io/undertow/protocols/ssl/SslConduit.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
+index 3084915..dde0e0c 100644
+--- a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
++++ b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
+@@ -852,7 +852,7 @@ public class SslConduit implements StreamSourceConduit, StreamSinkConduit {
+         }
+         try {
+             SSLEngineResult result = null;
+-            while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
++            while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
+                 if (userBuffers == null) {
+                     result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
+                 } else {
+-- 
+2.36.1
+
diff --git a/undertow.spec b/undertow.spec
index e370e2e..c981062 100644
--- a/undertow.spec
+++ b/undertow.spec
@@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             4
+Release:             5 
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@@ -12,6 +12,7 @@ Patch0:              undertow-1.4.0-jetty-alpn-api-1.1.0.patch
 Patch1:		     CVE-2020-10705.patch
 Patch2:              CVE-2019-3888.patch
 Patch3:              CVE-2020-10719.patch
+Patch4:              CVE-2023-1108.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@@ -38,6 +39,7 @@ This package contains the API documentation for %{name}.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 rm -rf mac-jdk-fix
 %pom_disable_module examples
 %pom_remove_plugin -r :maven-checkstyle-plugin
@@ -66,6 +68,10 @@ done
 %license LICENSE.txt
 
 %changelog
+
+* Mon Apr 3 2023 mayp <mayanping@ncti-gba.cn> - 1:1.4.0-5
+- Fix CVE-2023-1108
+
 * Wed Oct 29 2021 wangkai <wangkai385@huawei.com> - 1.4.0-4
 - Fix CVE-2020-10719
 
-- 
Gitee