rpms/cups
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c8s
cups/cups-CVE-2025-58436.patch
Zdenek Dohnal e4481e60a5 RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack 
Resolves: RHEL-129729
2025-12-09 16:40:34 +01:00

525 lines
17 KiB
Diff
Raw Permalink Blame History

diff -up cups-2.2.6/cups/http.c.slow-client cups-2.2.6/cups/http.c
--- cups-2.2.6/cups/http.c.slow-client 2025-12-09 15:13:08.505351097 +0100
+++ cups-2.2.6/cups/http.c 2025-12-09 15:16:54.210443194 +0100
@@ -52,7 +52,7 @@ static http_t *http_create(const char *
static void http_debug_hex(const char *prefix, const char *buffer,
int bytes);
#endif /* DEBUG */
-static ssize_t http_read(http_t *http, char *buffer, size_t length);
+static ssize_t http_read(http_t *http, char *buffer, size_t length, int timeout);
static ssize_t http_read_buffered(http_t *http, char *buffer, size_t length);
static ssize_t http_read_chunk(http_t *http, char *buffer, size_t length);
static int http_send(http_t *http, http_state_t request,
@@ -1209,7 +1209,7 @@ httpGets(char *line, /* I - Line to
return (NULL);
}
- bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
+ bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes));
@@ -1724,24 +1724,13 @@ httpPeek(http_t *http, /* I - HTTP con
ssize_t buflen; /* Length of read for buffer */
- if (!http->blocking)
- {
- while (!httpWait(http, http->wait_value))
- {
- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
- continue;
-
- return (0);
- }
- }
-
if ((size_t)http->data_remaining > sizeof(http->buffer))
buflen = sizeof(http->buffer);
else
buflen = (ssize_t)http->data_remaining;
DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen));
- bytes = http_read(http, http->buffer, (size_t)buflen);
+ bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.",
CUPS_LLCAST bytes));
@@ -1762,9 +1751,9 @@ httpPeek(http_t *http, /* I - HTTP con
int zerr; /* Decompressor error */
z_stream stream; /* Copy of decompressor stream */
- if (http->used > 0 && http->stream.avail_in < HTTP_MAX_BUFFER)
+ if (http->used > 0 && http->stream.avail_in < _HTTP_MAX_BUFFER)
{
- size_t buflen = buflen = HTTP_MAX_BUFFER - http->stream.avail_in;
+ size_t buflen = buflen = _HTTP_MAX_BUFFER - http->stream.avail_in;
/* Number of bytes to copy */
if (http->stream.avail_in > 0 &&
@@ -2022,7 +2011,7 @@ httpRead2(http_t *http, /* I - HTTP co
if (bytes == 0)
{
- ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in;
+ ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in;
/* Additional bytes for buffer */
if (buflen > 0)
@@ -2893,7 +2882,7 @@ int /* O - 1 to continue, 0 to stop
_httpUpdate(http_t *http, /* I - HTTP connection */
http_status_t *status) /* O - Current HTTP status */
{
- char line[32768], /* Line from connection... */
+ char line[_HTTP_MAX_BUFFER], /* Line from connection... */
*value; /* Pointer to value on line */
http_field_t field; /* Field index */
int major, minor; /* HTTP version numbers */
@@ -2901,12 +2890,46 @@ _httpUpdate(http_t *http, /* I -
DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state)));
+ /* When doing non-blocking I/O, make sure we have a whole line... */
+ if (!http->blocking)
+ {
+ ssize_t bytes; /* Bytes "peeked" from connection */
+
+ /* See whether our read buffer is full... */
+ DEBUG_printf(("2_httpUpdate: used=%d", http->used));
+
+ if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
+ {
+ /* No, try filling in more data... */
+ if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
+ {
+ DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes));
+ http->used += (int)bytes;
+ }
+ }
+
+ /* Peek at the incoming data... */
+ if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
+ {
+ /* Don't have a full line, tell the reader to try again when there is more data... */
+ DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
+ if ((size_t)http->used == sizeof(http->buffer))
+ *status = HTTP_STATUS_ERROR;
+ else
+ *status = HTTP_STATUS_CONTINUE;
+ return (0);
+ }
+
+ DEBUG_puts("2_httpUpdate: Found newline in buffer.");
+ }
+
/*
* Grab a single line from the connection...
*/
if (!httpGets(line, sizeof(line), http))
{
+ DEBUG_puts("1_httpUpdate: Error reading request line.");
*status = HTTP_STATUS_ERROR;
return (0);
}
@@ -4054,7 +4077,8 @@ http_debug_hex(const char *prefix, /* I
static ssize_t /* O - Number of bytes read or -1 on error */
http_read(http_t *http, /* I - HTTP connection */
char *buffer, /* I - Buffer */
- size_t length) /* I - Maximum bytes to read */
+ size_t length, /* I - Maximum bytes to read */
+ int timeout) /* I - Wait timeout */
{
ssize_t bytes; /* Bytes read */
@@ -4063,7 +4087,7 @@ http_read(http_t *http, /* I - HTTP co
if (!http->blocking || http->timeout_value > 0.0)
{
- while (!httpWait(http, http->wait_value))
+ while (!_httpWait(http, timeout, 1))
{
if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
continue;
@@ -4181,7 +4205,7 @@ http_read_buffered(http_t *http, /* I -
else
bytes = (ssize_t)length;
- DEBUG_printf(("2http_read: Grabbing %d bytes from input buffer.",
+ DEBUG_printf(("2http_read_buffered: Grabbing %d bytes from input buffer.",
(int)bytes));
memcpy(buffer, http->buffer, (size_t)bytes);
@@ -4191,7 +4215,7 @@ http_read_buffered(http_t *http, /* I -
memmove(http->buffer, http->buffer + bytes, (size_t)http->used);
}
else
- bytes = http_read(http, buffer, length);
+ bytes = http_read(http, buffer, length, http->wait_value);
return (bytes);
}
@@ -4536,15 +4560,15 @@ http_set_timeout(int fd, /* I - File
static void
http_set_wait(http_t *http) /* I - HTTP connection */
{
- if (http->blocking)
- {
- http->wait_value = (int)(http->timeout_value * 1000);
+ http->wait_value = (int)(http->timeout_value * 1000);
- if (http->wait_value <= 0)
+ if (http->wait_value <= 0)
+ {
+ if (http->blocking)
http->wait_value = 60000;
+ else
+ http->wait_value = 1000;
}
- else
- http->wait_value = 10000;
}
diff -up cups-2.2.6/cups/http-private.h.slow-client cups-2.2.6/cups/http-private.h
--- cups-2.2.6/cups/http-private.h.slow-client 2025-12-09 15:13:08.405517186 +0100
+++ cups-2.2.6/cups/http-private.h 2025-12-09 15:14:41.466141368 +0100
@@ -172,6 +172,7 @@ extern "C" {
* Constants...
*/
+# define _HTTP_MAX_BUFFER 32768 /* Size of read buffer */
# define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
# define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
# define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
@@ -298,8 +299,8 @@ struct _http_s /**** HTTP connection
http_encoding_t data_encoding; /* Chunked or not */
int _data_remaining;/* Number of bytes left (deprecated) */
int used; /* Number of bytes used in buffer */
- char buffer[HTTP_MAX_BUFFER];
- /* Buffer for incoming data */
+ char _buffer[HTTP_MAX_BUFFER];
+ /* Old read buffer (deprecated) */
int _auth_type; /* Authentication in use (deprecated) */
_cups_md5_state_t md5_state; /* MD5 state */
char nonce[HTTP_MAX_VALUE];
@@ -368,6 +369,8 @@ struct _http_s /**** HTTP connection
z_stream stream; /* (De)compression stream */
Bytef *sbuffer; /* (De)compression buffer */
# endif /* HAVE_LIBZ */
+ char buffer[_HTTP_MAX_BUFFER];
+ /* Read buffer */
};
# endif /* !_HTTP_NO_PRIVATE */
diff -up cups-2.2.6/scheduler/client.c.slow-client cups-2.2.6/scheduler/client.c
--- cups-2.2.6/scheduler/client.c.slow-client 2025-12-09 15:13:08.478315602 +0100
+++ cups-2.2.6/scheduler/client.c 2025-12-09 15:23:26.936553480 +0100
@@ -44,11 +44,11 @@
static int check_if_modified(cupsd_client_t *con,
struct stat *filestats);
-static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
- void *data);
#ifdef HAVE_SSL
-static int cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
+static int check_start_tls(cupsd_client_t *con);
#endif /* HAVE_SSL */
+static int compare_clients(cupsd_client_t *a, cupsd_client_t *b,
+ void *data);
static char *get_file(cupsd_client_t *con, struct stat *filestats,
char *filename, size_t len);
static http_status_t install_cupsd_conf(cupsd_client_t *con);
@@ -423,14 +423,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)
if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
{
/*
- * https connection; go secure...
+ * HTTPS connection, force TLS negotiation...
*/
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
- cupsdCloseClient(con);
+ con->tls_start = time(NULL);
+ con->encryption = HTTP_ENCRYPTION_ALWAYS;
}
else
+ {
+ /*
+ * HTTP connection, but check for HTTPS negotiation on first data...
+ */
+
con->auto_ssl = 1;
+ }
#endif /* HAVE_SSL */
}
@@ -673,17 +679,46 @@ cupsdReadClient(cupsd_client_t *con) /*
con->auto_ssl = 0;
- if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
- (!buf[0] || !strchr("DGHOPT", buf[0])))
+ if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2])
{
/*
- * Encrypt this connection...
+ * Client hello record, encrypt this connection...
*/
- cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session.");
+ con->tls_start = time(NULL);
+ con->encryption = HTTP_ENCRYPTION_ALWAYS;
+ }
+ }
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
- cupsdCloseClient(con);
+ if (con->tls_start)
+ {
+ /*
+ * Try negotiating TLS...
+ */
+
+ int tls_status = check_start_tls(con);
+
+ if (tls_status < 0)
+ {
+ /*
+ * TLS negotiation failed, close the connection.
+ */
+
+ cupsdCloseClient(con);
+ return;
+ }
+ else if (tls_status == 0)
+ {
+ /*
+ * Nothing to do yet...
+ */
+
+ if ((time(NULL) - con->tls_start) > 5)
+ {
+ // Timeout, close the connection...
+ cupsdCloseClient(con);
+ }
return;
}
@@ -847,9 +882,7 @@ cupsdReadClient(cupsd_client_t *con) /*
* Parse incoming parameters until the status changes...
*/
- while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
- if (!httpGetReady(con->http))
- break;
+ status = httpUpdate(con->http);
if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
{
@@ -999,11 +1032,10 @@ cupsdReadClient(cupsd_client_t *con) /*
return;
}
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
- {
- cupsdCloseClient(con);
- return;
- }
+ con->tls_start = time(NULL);
+ con->tls_upgrade = 1;
+ con->encryption = HTTP_ENCRYPTION_REQUIRED;
+ return;
#else
if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
@@ -1042,32 +1074,11 @@ cupsdReadClient(cupsd_client_t *con) /*
if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
"Upgrade") && !httpIsEncrypted(con->http))
{
-#ifdef HAVE_SSL
- /*
- * Do encryption stuff...
- */
-
- httpClearFields(con->http);
-
- if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
- CUPSD_AUTH_NONE))
- {
- cupsdCloseClient(con);
- return;
- }
-
- if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
- {
- cupsdCloseClient(con);
- return;
- }
-#else
if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
}
-#endif /* HAVE_SSL */
}
if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
@@ -3003,6 +3014,69 @@ check_if_modified(
}
+#ifdef HAVE_SSL
+/*
+ * 'check_start_tls()' - Start encryption on a connection.
+ */
+
+static int /* O - 0 to continue, 1 on success, -1 on error */
+check_start_tls(cupsd_client_t *con) /* I - Client connection */
+{
+ unsigned char chello[4096]; /* Client hello record */
+ ssize_t chello_bytes; /* Bytes read/peeked */
+ int chello_len; /* Length of record */
+
+
+ /*
+ * See if we have a good and complete client hello record...
+ */
+
+ if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5)
+ return (0); /* Not enough bytes (yet) */
+
+ if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0)
+ return (-1); /* Not a TLS Client Hello record */
+
+ chello_len = (chello[3] << 8) | chello[4];
+
+ if ((chello_len + 5) > chello_bytes)
+ return (0); /* Not enough bytes yet */
+
+ /*
+ * OK, we do, try negotiating...
+ */
+
+ con->tls_start = 0;
+
+ if (httpEncryption(con->http, con->encryption))
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString());
+ return (-1);
+ }
+
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
+
+ if (con->tls_upgrade)
+ {
+ // Respond to the original OPTIONS command...
+ con->tls_upgrade = 0;
+
+ httpClearFields(con->http);
+ httpClearCookie(con->http);
+ httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
+
+ if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
+ {
+ cupsdCloseClient(con);
+ return (-1);
+ }
+ }
+
+ return (1);
+}
+#endif /* HAVE_SSL */
+
+
/*
* 'compare_clients()' - Compare two client connections.
*/
@@ -3023,28 +3097,6 @@ compare_clients(cupsd_client_t *a, /* I
}
-#ifdef HAVE_SSL
-/*
- * 'cupsd_start_tls()' - Start encryption on a connection.
- */
-
-static int /* O - 0 on success, -1 on error */
-cupsd_start_tls(cupsd_client_t *con, /* I - Client connection */
- http_encryption_t e) /* I - Encryption mode */
-{
- if (httpEncryption(con->http, e))
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
- cupsLastErrorString());
- return (-1);
- }
-
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
- return (0);
-}
-#endif /* HAVE_SSL */
-
-
/*
* 'get_file()' - Get a filename and state info.
*/
diff -up cups-2.2.6/scheduler/client.h.slow-client cups-2.2.6/scheduler/client.h
--- cups-2.2.6/scheduler/client.h.slow-client 2025-12-09 15:13:08.395814648 +0100
+++ cups-2.2.6/scheduler/client.h 2025-12-09 15:36:24.758565531 +0100
@@ -59,6 +59,9 @@ struct cupsd_client_s
cups_lang_t *language; /* Language to use */
#ifdef HAVE_SSL
int auto_ssl; /* Automatic test for SSL/TLS */
+ time_t tls_start; /* Do TLS negotiation? */
+ int tls_upgrade; /* Doing TLS upgrade via OPTIONS? */
+ http_encryption_t encryption; /* Type of TLS negotiation */
#endif /* HAVE_SSL */
http_addr_t clientaddr; /* Client's server address */
char clientname[256];/* Client's server name for connection */
diff -up cups-2.2.6/scheduler/select.c.slow-client cups-2.2.6/scheduler/select.c
--- cups-2.2.6/scheduler/select.c.slow-client 2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/scheduler/select.c 2025-12-09 15:13:08.508485767 +0100
@@ -412,6 +412,9 @@ cupsdDoSelect(long timeout) /* I - Time
cupsd_in_select = 1;
+ // Prevent 100% CPU by releasing control before the kevent call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
{
ktimeout.tv_sec = timeout;
@@ -458,6 +461,9 @@ cupsdDoSelect(long timeout) /* I - Time
struct epoll_event *event; /* Current event */
+ // Prevent 100% CPU by releasing control before the epoll_wait call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs,
timeout * 1000);
@@ -550,6 +556,9 @@ cupsdDoSelect(long timeout) /* I - Time
}
}
+ // Prevent 100% CPU by releasing control before the poll call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000);
else
@@ -603,6 +612,9 @@ cupsdDoSelect(long timeout) /* I - Time
cupsd_current_input = cupsd_global_input;
cupsd_current_output = cupsd_global_output;
+ // Prevent 100% CPU by releasing control before the select call...
+ usleep(1);
+
if (timeout >= 0 && timeout < 86400)
{
stimeout.tv_sec = timeout;
Reference in New Issue View Git Blame Copy Permalink