Refuse interim responses with end-stream flag set

Resolves: #2161140
This commit is contained in:
Ryan O'Hara 2023-02-27 11:29:39 -06:00
parent a5a6249b24
commit 26c38e5ff7
2 changed files with 59 additions and 1 deletions

View File

@ -0,0 +1,52 @@
From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 22 Dec 2022 09:47:01 +0100
Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream
flag set
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an
informational status code is malformed. However, there is no test on this
condition.
On 2.4 and higher, it is hard to predict consequences of this bug because
end of the message is only reported with a flag. But on 2.2 and lower, it
leads to a crash because there is an unexpected extra EOM block at the end
of an interim response.
Now, when a ES flag is detected on a HEADERS frame for an interim message, a
stream error is sent (RST_STREAM/PROTOCOL_ERROR).
This patch should solve the issue #1972. It should be backported as far as
2.0.
(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
src/mux_h2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/mux_h2.c b/src/mux_h2.c
index 7d23e5abd..7dbbfefec 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
*flags |= H2_SF_HEADERS_RCVD;
if (h2c->dff & H2_F_HEADERS_END_STREAM) {
+ if (msgf & H2_MSGF_RSP_1XX) {
+ /* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
+ TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn);
+ goto fail;
+ }
/* no more data are expected for this message */
htx->flags |= HTX_FL_EOM;
}
--
2.37.3

View File

@ -8,7 +8,7 @@
Name: haproxy
Version: 2.4.17
Release: 4%{?dist}
Release: 5%{?dist}
Summary: HAProxy reverse proxy for high availability environments
License: GPLv2+
@ -22,6 +22,8 @@ Source4: %{name}.sysconfig
Source5: %{name}.sysusers
Source6: halog.1
Patch0: bz2161140-refuse-response-end-stream-flag.patch
BuildRequires: gcc
BuildRequires: lua-devel
BuildRequires: pcre2-devel
@ -50,6 +52,7 @@ availability environments. Indeed, it can:
%prep
%setup -q
%patch0 -p1
%build
regparm_opts=
@ -132,6 +135,9 @@ done
%{_sysusersdir}/%{name}.conf
%changelog
* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-5
- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2161140)
* Wed Nov 30 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-4
- Use systemd-sysusers for user/group creation (#2095422)