Refuse interim responses with end-stream flag set

Resolves: #2161140
2023-02-27 11:29:39 -06:00 · 2023-02-27 11:29:39 -06:00 · 26c38e5ff7
commit 26c38e5ff7
parent a5a6249b24
2 changed files with 59 additions and 1 deletions
--- a/bz2161140-refuse-response-end-stream-flag.patch
+++ b/bz2161140-refuse-response-end-stream-flag.patch
@ -0,0 +1,52 @@
+From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001
+From: Christopher Faulet <cfaulet@haproxy.com>
+Date: Thu, 22 Dec 2022 09:47:01 +0100
+Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream
+ flag set
+
+As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an
+informational status code is malformed. However, there is no test on this
+condition.
+
+On 2.4 and higher, it is hard to predict consequences of this bug because
+end of the message is only reported with a flag. But on 2.2 and lower, it
+leads to a crash because there is an unexpected extra EOM block at the end
+of an interim response.
+
+Now, when a ES flag is detected on a HEADERS frame for an interim message, a
+stream error is sent (RST_STREAM/PROTOCOL_ERROR).
+
+This patch should solve the issue #1972. It should be backported as far as
+2.0.
+
+(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+---
+ src/mux_h2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/mux_h2.c b/src/mux_h2.c
+index 7d23e5abd..7dbbfefec 100644
+--- a/src/mux_h2.c
+++ b/src/mux_h2.c
+@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
+ 		*flags |= H2_SF_HEADERS_RCVD;
+ 
+ 	if (h2c->dff & H2_F_HEADERS_END_STREAM) {
+		if (msgf & H2_MSGF_RSP_1XX) {
+			/* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
+			TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn);
+			goto fail;
+		}
+ 		/* no more data are expected for this message */
+ 		htx->flags |= HTX_FL_EOM;
+ 	}
+-- 
+2.37.3
+
--- a/haproxy.spec
+++ b/haproxy.spec
@ -8,7 +8,7 @@

 Name:           haproxy
 Version:        2.4.17
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments

 License:        GPLv2+
@ -22,6 +22,8 @@ Source4:        %{name}.sysconfig
 Source5:        %{name}.sysusers
 Source6:        halog.1

+Patch0: bz2161140-refuse-response-end-stream-flag.patch
+
 BuildRequires:  gcc
 BuildRequires:  lua-devel
 BuildRequires:  pcre2-devel
@ -50,6 +52,7 @@ availability environments. Indeed, it can:

 %prep
 %setup -q
+%patch0 -p1

 %build
 regparm_opts=
@ -132,6 +135,9 @@ done
 %{_sysusersdir}/%{name}.conf

 %changelog
+* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-5
+- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2161140)
+
 * Wed Nov 30 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-4
 - Use systemd-sysusers for user/group creation (#2095422)