git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
http-parser
1
0
Fork 0
Files
Tree: 2758d759f2
Branches Tags
http-parser
/
debian
/
patches
/
fix-ABI-breakage.patch

fix-ABI-breakage.patch 8.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224 
  1. Subject: Fix ABI breakage introduced by accident in 2.8.1-1+deb10u1
    2. 

  2. Author: Hilko Bengen <bengen@debian.org>
    3. 

  3. Date: 2021-10-22
    4. 

  4. Bug-Debian:
    5. 

  5.     https://bugs.debian.org/996460
    6. 

  6.     https://bugs.debian.org/996939
    7. 

  7.     https://bugs.debian.org/996997
    8. 

  8. Comment: (by the http-parser maintainer)
    9. 

  9. 

  10.   # Problem
    11. 

  11. 

  12.   The fix for CVE-2019-15605 introduced an ABI break by changing the
    13. 

  13.   layout of struct http_parser - a change that was needed to store a
    14. 

  14.   ninth bit in the "flags" field. However, this affected offsets of
    15. 

  15.   fields declared as public, causing applications to break.
    16. 

  16. 

  17.   # Workaround
    18. 

  18. 

  19.   To restore the previous layout while still implementing the fix: Steal
    20. 

  20.   one bit from the (private) content_length field (the remaining 63
    21. 

  21.   are more than enough) to store the newly introduced flag.
    22. 

  22. 

  23.   Also rename the related constant as a safeguard against applications
    24. 

  24.   that use it (they must not, see below).
    25. 

  25. 

  26.   # Possible regressions
    27. 

  27. 

  28.   A lot of work was done to avoid damage for well-behaving applications.
    29. 

  29.   It seems all applications in Debian built against http-parser fall
    30. 

  30.   into that category.
    31. 

  31. 

  32.   Applications however that access fields in struct http_parser that are
    33. 

  33.   in the section marked "/** PRIVATE **/" may face issues. Such a
    34. 

  34.   behaviour is inacceptable anyway.
    35. 

  35. 

  36.   If such a mis-behaving application ...
    37. 

  37. 

  38.   * was built using an earlier version of http-parser, the code will
    39. 

  39.     assume content_length is a 64 bit value. Depending on endianess and
    40. 

  40.     status of the F_TRANSFER_ENCODING bit, things may work. Possibly
    41. 

  41.     they will not.
    42. 

  42. 

  43.   * uses the private F_TRANSFER_ENCODING constant and was built using
    44. 

  44.     http-parser 2.8.1-1+deb10u1, it will not see the information it
    45. 

  45.     expects to see.
    46. 

  46.     Additionally, and re-build will fail. This is by design.
    47. 

  47. 

  48.   Again, applications must not access fields declared private, and their
    49. 

  49.   authors should not expect pity if they encounter breakage any anything
    50. 

  50.   changes there.
    51. 

  51. 

  52.   # Acknowledgments
    53. 

  53. 

  54.   Thanks a lot to Hilko Bengen for the idea, implementation, a first
    55. 

  55.   round of tests and many suggestions.
    56. 

  56. 

  57. --- a/http_parser.c
    58. 

  58. +++ b/http_parser.c
    59. 

  59. @@ -25,9 +25,7 @@
    60. 

  60.  #include <string.h>
    61. 

  61.  #include <limits.h>
    62. 

  62.  
    63. 

  63. -#ifndef ULLONG_MAX
    64. 

  64. -# define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */
    65. 

  65. -#endif
    66. 

  66. +#define CONTENT_LENGTH_MAX (((uint64_t)-1) >> 1)
    67. 

  67.  
    68. 

  68.  #ifndef MIN
    69. 

  69.  # define MIN(a,b) ((a) < (b) ? (a) : (b))
    70. 

  70. @@ -724,7 +722,8 @@
    71. 

  71.          if (ch == CR || ch == LF)
    72. 

  72.            break;
    73. 

  73.          parser->flags = 0;
    74. 

  74. -        parser->content_length = ULLONG_MAX;
    75. 

  75. +        parser->flags2 = 0;
    76. 

  76. +        parser->content_length = CONTENT_LENGTH_MAX;
    77. 

  77.  
    78. 

  78.          if (ch == 'H') {
    79. 

  79.            UPDATE_STATE(s_res_or_resp_H);
    80. 

  80. @@ -759,7 +758,8 @@
    81. 

  81.        case s_start_res:
    82. 

  82.        {
    83. 

  83.          parser->flags = 0;
    84. 

  84. -        parser->content_length = ULLONG_MAX;
    85. 

  85. +        parser->flags2 = 0;
    86. 

  86. +        parser->content_length = CONTENT_LENGTH_MAX;
    87. 

  87.  
    88. 

  88.          switch (ch) {
    89. 

  89.            case 'H':
    90. 

  90. @@ -923,7 +923,8 @@
    91. 

  91.          if (ch == CR || ch == LF)
    92. 

  92.            break;
    93. 

  93.          parser->flags = 0;
    94. 

  94. -        parser->content_length = ULLONG_MAX;
    95. 

  95. +        parser->flags2 = 0;
    96. 

  96. +        parser->content_length = CONTENT_LENGTH_MAX;
    97. 

  97.  
    98. 

  98.          if (UNLIKELY(!IS_ALPHA(ch))) {
    99. 

  99.            SET_ERRNO(HPE_INVALID_METHOD);
    100. 

  100. @@ -1314,7 +1315,7 @@
    101. 

  101.                  parser->header_state = h_general;
    102. 

  102.                } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
    103. 

  103.                  parser->header_state = h_transfer_encoding;
    104. 

  104. -                parser->flags |= F_TRANSFER_ENCODING;
    105. 

  105. +                parser->flags2 |= F_TRANSFER_ENCODING2;
    106. 

  106.                }
    107. 

  107.                break;
    108. 

  108.  
    109. 

  109. @@ -1528,7 +1529,7 @@
    110. 

  110.                t += ch - '0';
    111. 

  111.  
    112. 

  112.                /* Overflow? Test against a conservative limit for simplicity. */
    113. 

  113. -              if (UNLIKELY((ULLONG_MAX - 10) / 10 < parser->content_length)) {
    114. 

  114. +              if (UNLIKELY((CONTENT_LENGTH_MAX - 10) / 10 < parser->content_length)) {
    115. 

  115.                  SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
    116. 

  116.                  parser->header_state = h_state;
    117. 

  117.                  goto error;
    118. 

  118. @@ -1765,7 +1766,7 @@
    119. 

  119.  
    120. 

  120.          /* Cannot us transfer-encoding and a content-length header together
    121. 

  121.             per the HTTP specification. (RFC 7230 Section 3.3.3) */
    122. 

  122. -        if ((parser->flags & F_TRANSFER_ENCODING) &&
    123. 

  123. +        if ((parser->flags2 & F_TRANSFER_ENCODING2) &&
    124. 

  124.              (parser->flags & F_CONTENTLENGTH)) {
    125. 

  125.            /* Allow it for lenient parsing as long as `Transfer-Encoding` is
    126. 

  126.             * not `chunked`
    127. 

  127. @@ -1834,7 +1835,7 @@
    128. 

  128.          parser->nread = 0;
    129. 

  129.  
    130. 

  130.          hasBody = parser->flags & F_CHUNKED ||
    131. 

  131. -          (parser->content_length > 0 && parser->content_length != ULLONG_MAX);
    132. 

  132. +          (parser->content_length > 0 && parser->content_length != CONTENT_LENGTH_MAX);
    133. 

  133.          if (parser->upgrade && (parser->method == HTTP_CONNECT ||
    134. 

  134.                                  (parser->flags & F_SKIPBODY) || !hasBody)) {
    135. 

  135.            /* Exit, the rest of the message is in a different protocol. */
    136. 

  136. @@ -1850,7 +1851,7 @@
    137. 

  137.            /* chunked encoding - ignore Content-Length header,
    138. 

  138.             * prepare for a chunk */
    139. 

  139.            UPDATE_STATE(s_chunk_size_start);
    140. 

  140. -        } else if (parser->flags & F_TRANSFER_ENCODING) {
    141. 

  141. +        } else if (parser->flags2 & F_TRANSFER_ENCODING2) {
    142. 

  142.            if (parser->type == HTTP_REQUEST && !lenient) {
    143. 

  143.              /* RFC 7230 3.3.3 */
    144. 

  144.  
    145. 

  145. @@ -1877,7 +1878,7 @@
    146. 

  146.              /* Content-Length header given but zero: Content-Length: 0\r\n */
    147. 

  147.              UPDATE_STATE(NEW_MESSAGE());
    148. 

  148.              CALLBACK_NOTIFY(message_complete);
    149. 

  149. -          } else if (parser->content_length != ULLONG_MAX) {
    150. 

  150. +          } else if (parser->content_length != CONTENT_LENGTH_MAX) {
    151. 

  151.              /* Content-Length header given and non-zero */
    152. 

  152.              UPDATE_STATE(s_body_identity);
    153. 

  153.            } else {
    154. 

  154. @@ -1901,7 +1902,7 @@
    155. 

  155.                                 (uint64_t) ((data + len) - p));
    156. 

  156.  
    157. 

  157.          assert(parser->content_length != 0
    158. 

  158. -            && parser->content_length != ULLONG_MAX);
    159. 

  159. +            && parser->content_length != CONTENT_LENGTH_MAX);
    160. 

  160.  
    161. 

  161.          /* The difference between advancing content_length and p is because
    162. 

  162.           * the latter will automaticaly advance on the next loop iteration.
    163. 

  163. @@ -1991,7 +1992,7 @@
    164. 

  164.          t += unhex_val;
    165. 

  165.  
    166. 

  166.          /* Overflow? Test against a conservative limit for simplicity. */
    167. 

  167. -        if (UNLIKELY((ULLONG_MAX - 16) / 16 < parser->content_length)) {
    168. 

  168. +        if (UNLIKELY((CONTENT_LENGTH_MAX - 16) / 16 < parser->content_length)) {
    169. 

  169.            SET_ERRNO(HPE_INVALID_CONTENT_LENGTH);
    170. 

  170.            goto error;
    171. 

  171.          }
    172. 

  172. @@ -2035,7 +2036,7 @@
    173. 

  173.  
    174. 

  174.          assert(parser->flags & F_CHUNKED);
    175. 

  175.          assert(parser->content_length != 0
    176. 

  176. -            && parser->content_length != ULLONG_MAX);
    177. 

  177. +            && parser->content_length != CONTENT_LENGTH_MAX);
    178. 

  178.  
    179. 

  179.          /* See the explanation in s_body_identity for why the content
    180. 

  180.           * length and data pointers are managed this way.
    181. 

  181. @@ -2124,12 +2125,12 @@
    182. 

  182.    }
    183. 

  183.  
    184. 

  184.    /* RFC 7230 3.3.3, see `s_headers_almost_done` */
    185. 

  185. -  if ((parser->flags & F_TRANSFER_ENCODING) &&
    186. 

  186. +  if ((parser->flags2 & F_TRANSFER_ENCODING2) &&
    187. 

  187.        (parser->flags & F_CHUNKED) == 0) {
    188. 

  188.      return 1;
    189. 

  189.    }
    190. 

  190.  
    191. 

  191. -  if ((parser->flags & F_CHUNKED) || parser->content_length != ULLONG_MAX) {
    192. 

  192. +  if ((parser->flags & F_CHUNKED) || parser->content_length != CONTENT_LENGTH_MAX) {
    193. 

  193.      return 0;
    194. 

  194.    }
    195. 

  195.  
    196. 

  196. --- a/http_parser.h
    197. 

  197. +++ b/http_parser.h
    198. 

  198. @@ -225,7 +225,7 @@
    199. 

  199.    , F_UPGRADE               = 1 << 5
    200. 

  200.    , F_SKIPBODY              = 1 << 6
    201. 

  201.    , F_CONTENTLENGTH         = 1 << 7
    202. 

  202. -  , F_TRANSFER_ENCODING     = 1 << 8
    203. 

  203. +  , F_TRANSFER_ENCODING2    = 1 << 0 /* this goes into http_parser.flags2 */
    204. 

  204.    };
    205. 

  205.  
    206. 

  206.  
    207. 

  207. @@ -296,14 +296,15 @@
    208. 

  208.  struct http_parser {
    209. 

  209.    /** PRIVATE **/
    210. 

  210.    unsigned int type : 2;         /* enum http_parser_type */
    211. 

  211. +  unsigned int flags : 8;        /* F_* values from 'flags' enum; semi-public */
    212. 

  212.    unsigned int state : 7;        /* enum state from http_parser.c */
    213. 

  213.    unsigned int header_state : 7; /* enum header_state from http_parser.c */
    214. 

  214.    unsigned int index : 7;        /* index into current matcher */
    215. 

  215.    unsigned int lenient_http_headers : 1;
    216. 

  216. -  unsigned int flags : 16;       /* F_* values from 'flags' enum; semi-public */
    217. 

  217.  
    218. 

  218.    uint32_t nread;          /* # bytes read in various scenarios */
    219. 

  219. -  uint64_t content_length; /* # bytes in body (0 if no Content-Length header) */
    220. 

  220. +  uint64_t flags2 : 1;          /* one bit another flag */
    221. 

  221. +  uint64_t content_length : 63; /* # bytes in body (0 if no Content-Length header) */
    222. 

  222.  
    223. 

  223.    /** READ-ONLY **/
    224. 

  224.    unsigned short http_major;
    225.