From patchwork Mon Apr 24 03:20:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liangbin Lian X-Patchwork-Id: 1772525 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=W8HxJjtr; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=Y0RRDIOQ; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Q4VqS08r1z23td for ; Mon, 24 Apr 2023 13:24:35 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=DWWMd6TEyH4nJUbhjbXO32dTdIkQFUooe2/U/VTWuZ0=; b=W8HxJjtrjP0TDA G9HfXSbc+kA7otRgIs2MVw2A3D5fABzrHrqvt72tQkMwRDaTWpfLBE0g1Kc0uWWlkB/7d856lJvbp 4Dwb4TYpu627VqtF7r48qbLdgGTZQEq5QcSz2Uyq/MNamRRCVd8DYm/vIpNO0uVcjN6gMWFvXkcH3 rq12wjTcVohvoZDK4f3nVcokw4dUSKQIG3zCpGiJf3y+uX5twTtjmQM7MGrNpXeRrwHa9hKLxvBIX Mag3pKIcUHGutVx7lp1B6gzRdnfvwEDmolnkCZuk0V1Ks4jCj0tQNfYY2OeMzIUU0jjiVAZvHUcOg dUD7DqRNsiiFMmbyS7Hw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pqmmR-00FBso-1G; Mon, 24 Apr 2023 03:22:19 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pqmmO-00FBow-1G for openwrt-devel@lists.openwrt.org; Mon, 24 Apr 2023 03:22:17 +0000 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1a5197f00e9so32731815ad.1 for ; Sun, 23 Apr 2023 20:22:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682306533; x=1684898533; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AUpkdMKeosIQcUNAnE03n94ye/9SPHuJf0dD18NwoL8=; b=Y0RRDIOQMDNuqRN7L7xnagUce47Tv0lVeNNEnPYLhMY92fQddOHp+JjHxrnMG0ViQq OuehM4uBqJWXN28yshLq0GcQvyu68N9FKMHIhP0eV/fRPkfEeYzbCYXEu45M0JUZpaZW MInzDJ6H3zMhKtZuQZPgKGZzBewm/ovOOuhc7YRyZBlfARXZB+VX5ZsFXFtxKhflIKct fUAOnp4kRTM601OOKdF3uTBpq7IpmjJCjoDxrdnJTXhAa1uXlhHUd8ES0DVbP/q75bk8 u0DGlzGJQJmtR0hpkBKc1Fm06BW3EKEaEojgRl8rG21z3YYiLO9Dag9MDt5xXO0vfNdP stSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682306533; x=1684898533; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AUpkdMKeosIQcUNAnE03n94ye/9SPHuJf0dD18NwoL8=; b=XmqCiX/imYXvH7m4LArFYMOcKxknAEQkJ3/EIu0xiqs7FwH9UADmWc7i6jFCv1oyUc oMcRWSWbRvzlIGX8N3aheIO9m9vaeIsR+3/uqBT2b93cX3/zZcXcLNUDdin7cfliSxdQ +2qlyLV323j3mLCNp+W/fTGlKFxxv87EDMIncYvq050nnUf1+on/ClZu7aoeSwR8vytL SGeTe1lYU90inJFnSnWm5+lLqr78tdb85FoZDvsh0asJJ+iVqRuW/3IC/7X18rSjweGh WUuAlGzXqCJkWNoXD0hCLv7nSOhzekDDIdCge/EPT9ymgED7Y0sxJEAWj2JsdI7dtZjW H1HA== X-Gm-Message-State: AAQBX9dkDjcKRTBW6BVEOVXnAu68GZbQJbDDKYHIoz7ixwFimvXB3E51 1k0T9r9VitTpAXhTX2XlZovj9tvw/6NqW2lq X-Google-Smtp-Source: AKy350Y0AgEjjLVgx6XThVtEpQa6Jb/xbJhy+Fnlu0fL7SHTfs8i4gEQH7AdkKoRwSD+PMSGhzCSYg== X-Received: by 2002:a17:902:a989:b0:1a6:5575:9059 with SMTP id bh9-20020a170902a98900b001a655759059mr12023534plb.62.1682306532647; Sun, 23 Apr 2023 20:22:12 -0700 (PDT) Received: from macbook-pro.lan ([119.123.60.73]) by smtp.gmail.com with ESMTPSA id jg20-20020a17090326d400b001a1a82fc6d3sm5593215plb.268.2023.04.23.20.22.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Apr 2023 20:22:12 -0700 (PDT) From: Liangbin Lian To: openwrt-devel@lists.openwrt.org Cc: Liangbin Lian Subject: [PATCH] package/uhttpd: fix string out of buffer range on uh_defer_script Date: Mon, 24 Apr 2023 11:20:12 +0800 Message-Id: <20230424032012.96710-1-jjm2473@gmail.com> X-Mailer: git-send-email 2.37.1 (Apple Git-137.1) MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230423_202216_428007_9AA0F0FA X-CRM114-Status: GOOD ( 17.35 ) X-Spam-Score: 0.1 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: if a url path length is multiple of 8, tailing zero will be trimed out on uh_defer_script, cause a strangle error. it's simple to reproduce. 1. create a luci controller, register a entry with path length multiple of 8 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. 2. set uhttpd max_requests to 1, and restart uhtt [...] Content analysis details: (0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:634 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [jjm2473[at]gmail.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [jjm2473[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org if a url path length is multiple of 8, tailing zero will be trimed out on uh_defer_script, cause a strangle error. it's simple to reproduce. 1. create a luci controller, register a entry with path length multiple of 8 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. 2. set uhttpd max_requests to 1, and restart uhttpd 3. request '/cgi-bin/luci/admin/system/admin' with at least 2 processes 4. some responses will produce a error: ``` Unable to launch the requested CGI program: /www/cgi-bin/luci: No such file or directory ``` Signed-off-by: Liangbin Lian --- package/network/services/uhttpd/Makefile | 2 +- .../001-fix-string-out-of-buffer-range.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 package/network/services/uhttpd/patches/001-fix-string-out-of-buffer-range.patch diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile index 3923e55b07..f47a964dbc 100644 --- a/package/network/services/uhttpd/Makefile +++ b/package/network/services/uhttpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uhttpd -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git diff --git a/package/network/services/uhttpd/patches/001-fix-string-out-of-buffer-range.patch b/package/network/services/uhttpd/patches/001-fix-string-out-of-buffer-range.patch new file mode 100644 index 0000000000..39566c353a --- /dev/null +++ b/package/network/services/uhttpd/patches/001-fix-string-out-of-buffer-range.patch @@ -0,0 +1,47 @@ +From c0e6e4393b4284d7287c3edbedbbd23da51b8da5 Mon Sep 17 00:00:00 2001 +From: Liangbin Lian +Date: Fri, 14 Apr 2023 02:19:38 +0800 +Subject: [PATCH] file: fix string out of buffer range on uh_defer_script + +if a url path length is multiple of 8, tailing zero will be trimed out on uh_defer_script, cause a strangle error. +it's simple to reproduce. + +1. create a luci controller, register a entry with path length multiple of 8 (including '/cgi-bin/'), for example, '/cgi-bin/luci/admin/system/admin'. +2. set uhttpd max_requests to 1, and restart uhttpd +3. request '/cgi-bin/luci/admin/system/admin' with at least 2 processes +4. some responses will produce a error: +``` +Unable to launch the requested CGI program: + /www/cgi-bin/luci: No such file or directory +``` + +Signed-off-by: Liangbin Lian +--- + file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/file.c b/file.c +index ac781c1..d117387 100644 +--- a/file.c ++++ b/file.c +@@ -797,7 +797,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct + /* allocate enough memory to duplicate all path_info strings in one block */ + #undef _field + #define _field(_name) &_##_name, field_len(pi->_name), +- dr = calloc_a(sizeof(*dr), &_url, strlen(url), path_info_fields NULL); ++ dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, path_info_fields NULL); + + memcpy(&dr->pi, pi, sizeof(*pi)); + dr->path = true; +@@ -807,7 +807,7 @@ uh_defer_script(struct client *cl, struct dispatch_handler *d, char *url, struct + #define _field(_name) if (pi->_name) dr->pi._name = strcpy(_##_name, pi->_name); + path_info_fields + } else { +- dr = calloc_a(sizeof(*dr), &_url, strlen(url), NULL); ++ dr = calloc_a(sizeof(*dr), &_url, strlen(url) + 1, NULL); + } + + cl->dispatch.req_data = dr; +-- +2.31.0 +