libproxy/SOURCES/libproxy-0.4.15-fix-CVE-2020-25219.patch

From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Wed, 9 Sep 2020 11:12:02 -0500
Subject: [PATCH] Rewrite url::recvline to be nonrecursive

This function processes network input. It's semi-trusted, because the
PAC ought to be trusted. But we still shouldn't allow it to control how
far we recurse. A malicious PAC can cause us to overflow the stack by
sending a sufficiently-long line without any '\n' character.

Also, this function failed to properly handle EINTR, so let's fix that
too, for good measure.

Fixes #134
---
 libproxy/url.cpp | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index ee776b2..68d69cd 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -388,16 +388,24 @@ string url::to_string() const {
 	return m_orig;
 }
 
-static inline string recvline(int fd) {
-	// Read a character.
-	// If we don't get a character, return empty string.
-	// If we are at the end of the line, return empty string.
-	char c = '\0';
-	
-	if (recv(fd, &c, 1, 0) != 1 || c == '\n')
-		return "";
-
-	return string(1, c) + recvline(fd);
+static string recvline(int fd) {
+	string line;
+	int ret;
+
+	// Reserve arbitrary amount of space to avoid small memory reallocations.
+	line.reserve(128);
+
+	do {
+		char c;
+		ret = recv(fd, &c, 1, 0);
+		if (ret == 1) {
+			if (c == '\n')
+				return line;
+			line += c;
+		}
+	} while (ret == 1 || (ret == -1 && errno == EINTR));
+
+	return line;
 }
 
 char* url::get_pac() {
import UBI libproxy-0.4.15-5.5.el8_10 2024-11-05 00:48:39 +00:00			`From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001`
			`From: Michael Catanzaro <mcatanzaro@gnome.org>`
			`Date: Wed, 9 Sep 2020 11:12:02 -0500`
			`Subject: [PATCH] Rewrite url::recvline to be nonrecursive`

			`This function processes network input. It's semi-trusted, because the`
			`PAC ought to be trusted. But we still shouldn't allow it to control how`
			`far we recurse. A malicious PAC can cause us to overflow the stack by`
			`sending a sufficiently-long line without any '\n' character.`

			`Also, this function failed to properly handle EINTR, so let's fix that`
			`too, for good measure.`

			`Fixes #134`
			`---`
			`libproxy/url.cpp \| 28 ++++++++++++++++++----------`
			`1 file changed, 18 insertions(+), 10 deletions(-)`

			`diff --git a/libproxy/url.cpp b/libproxy/url.cpp`
			`index ee776b2..68d69cd 100644`
			`--- a/libproxy/url.cpp`
			`+++ b/libproxy/url.cpp`
			`@@ -388,16 +388,24 @@ string url::to_string() const {`
			`return m_orig;`
			`}`

			`-static inline string recvline(int fd) {`
			`- // Read a character.`
			`- // If we don't get a character, return empty string.`
			`- // If we are at the end of the line, return empty string.`
			`- char c = '\0';`
			`-`
			`- if (recv(fd, &c, 1, 0) != 1 \|\| c == '\n')`
			`- return "";`
			`-`
			`- return string(1, c) + recvline(fd);`
			`+static string recvline(int fd) {`
			`+ string line;`
			`+ int ret;`
			`+`
			`+ // Reserve arbitrary amount of space to avoid small memory reallocations.`
			`+ line.reserve(128);`
			`+`
			`+ do {`
			`+ char c;`
			`+ ret = recv(fd, &c, 1, 0);`
			`+ if (ret == 1) {`
			`+ if (c == '\n')`
			`+ return line;`
			`+ line += c;`
			`+ }`
			`+ } while (ret == 1 \|\| (ret == -1 && errno == EINTR));`
			`+`
			`+ return line;`
			`}`

			`char* url::get_pac() {`