1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 4 Feb 2015 14:44:23 +0000
Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A
maliciously crafted websockets PING after a script calls r:wsupgrade()
can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>]
Upstream-Status: BackPort
Discovered by Guido Vranken <guidovranken gmail.com>
Submitted by: Edward Lu
Committed by: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
modules/lua/lua_request.c | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index dded599..1200c55 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
{
apr_socket_t *sock;
apr_status_t rv;
+ int do_read = 1;
int n = 0;
apr_size_t len = 1;
apr_size_t plen = 0;
@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
mask_bytes = apr_pcalloc(r->pool, 4);
sock = ap_get_conn_socket(r->connection);
+ while (do_read) {
+ do_read = 0;
/* Get opcode and FIN bit */
if (plaintext) {
rv = apr_socket_recv(sock, &byte, &len);
@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
frame[0] = 0x8A;
frame[1] = 0;
apr_socket_send(sock, frame, &plen); /* Pong! */
- lua_websocket_read(L); /* read the next frame instead */
+ do_read = 1;
}
}
}
+ }
return 0;
}
--
1.9.1
|
