From 26c38e5ff7370446ab076156fd6f3b91d01145bc Mon Sep 17 00:00:00 2001 From: Ryan O'Hara Date: Mon, 27 Feb 2023 11:29:39 -0600 Subject: [PATCH] Refuse interim responses with end-stream flag set Resolves: #2161140 --- ...1140-refuse-response-end-stream-flag.patch | 52 +++++++++++++++++++ haproxy.spec | 8 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 bz2161140-refuse-response-end-stream-flag.patch diff --git a/bz2161140-refuse-response-end-stream-flag.patch b/bz2161140-refuse-response-end-stream-flag.patch new file mode 100644 index 0000000..e3e83d9 --- /dev/null +++ b/bz2161140-refuse-response-end-stream-flag.patch @@ -0,0 +1,52 @@ +From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001 +From: Christopher Faulet +Date: Thu, 22 Dec 2022 09:47:01 +0100 +Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream + flag set + +As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an +informational status code is malformed. However, there is no test on this +condition. + +On 2.4 and higher, it is hard to predict consequences of this bug because +end of the message is only reported with a flag. But on 2.2 and lower, it +leads to a crash because there is an unexpected extra EOM block at the end +of an interim response. + +Now, when a ES flag is detected on a HEADERS frame for an interim message, a +stream error is sent (RST_STREAM/PROTOCOL_ERROR). + +This patch should solve the issue #1972. It should be backported as far as +2.0. + +(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4) +Signed-off-by: Willy Tarreau +(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59) +Signed-off-by: Christopher Faulet +(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5) +Signed-off-by: Christopher Faulet +(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1) +Signed-off-by: Christopher Faulet +--- + src/mux_h2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/mux_h2.c b/src/mux_h2.c +index 7d23e5abd..7dbbfefec 100644 +--- a/src/mux_h2.c ++++ b/src/mux_h2.c +@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f + *flags |= H2_SF_HEADERS_RCVD; + + if (h2c->dff & H2_F_HEADERS_END_STREAM) { ++ if (msgf & H2_MSGF_RSP_1XX) { ++ /* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */ ++ TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); ++ goto fail; ++ } + /* no more data are expected for this message */ + htx->flags |= HTX_FL_EOM; + } +-- +2.37.3 + diff --git a/haproxy.spec b/haproxy.spec index f4f195b..cb6d884 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -8,7 +8,7 @@ Name: haproxy Version: 2.4.17 -Release: 4%{?dist} +Release: 5%{?dist} Summary: HAProxy reverse proxy for high availability environments License: GPLv2+ @@ -22,6 +22,8 @@ Source4: %{name}.sysconfig Source5: %{name}.sysusers Source6: halog.1 +Patch0: bz2161140-refuse-response-end-stream-flag.patch + BuildRequires: gcc BuildRequires: lua-devel BuildRequires: pcre2-devel @@ -50,6 +52,7 @@ availability environments. Indeed, it can: %prep %setup -q +%patch0 -p1 %build regparm_opts= @@ -132,6 +135,9 @@ done %{_sysusersdir}/%{name}.conf %changelog +* Mon Feb 27 2023 Ryan O'Hara - 2.4.17-5 +- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2161140) + * Wed Nov 30 2022 Ryan O'Hara - 2.4.17-4 - Use systemd-sysusers for user/group creation (#2095422)