diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch new file mode 100644 index 0000000000..767225b888 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch @@ -0,0 +1,98 @@ +From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001 +From: Russ Cox <rsc@golang.org> +Date: Thu, 3 Dec 2020 09:45:07 -0500 +Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better + +Returning an error about integer overflow is needlessly pedantic. +The meaning of ReadForm(MaxInt64) is easily understood +(accept a lot of data) and can be implemented. + +Fixes #40430. + +Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/275112 +Trust: Russ Cox <rsc@golang.org> +Run-TryBot: Russ Cox <rsc@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Reviewed-by: Ian Lance Taylor <iant@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43] +CVE: CVE-2022-41725 #Dependency Patch3 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/mime/multipart/formdata.go | 8 ++++++-- + src/mime/multipart/formdata_test.go | 14 +++++--------- + src/net/http/request_test.go | 2 +- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +index 4eb31012941ac..9c42ea8c023b5 100644 +--- a/src/mime/multipart/formdata.go ++++ b/src/mime/multipart/formdata.go +@@ -7,9 +7,9 @@ package multipart + import ( + "bytes" + "errors" +- "fmt" + "io" + "io/ioutil" ++ "math" + "net/textproto" + "os" + ) +@@ -43,7 +43,11 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + // Reserve an additional 10 MB for non-file parts. + maxValueBytes := maxMemory + int64(10<<20) + if maxValueBytes <= 0 { +- return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory) ++ if maxMemory < 0 { ++ maxValueBytes = 0 ++ } else { ++ maxValueBytes = math.MaxInt64 ++ } + } + for { + p, err := r.NextPart() +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index 7112e0d3727fe..e3a3a3eae8e15 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) { + } + } + +-// Issue 40430: Ensure that we report integer overflows in additions of maxMemory, +-// instead of silently and subtly failing without indication. ++// Issue 40430: Handle ReadForm(math.MaxInt64) + func TestReadFormMaxMemoryOverflow(t *testing.T) { + b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n")) + r := NewReader(b, boundary) + f, err := r.ReadForm(math.MaxInt64) +- if err == nil { +- t.Fatal("Unexpected a non-nil error") +- } +- if f != nil { +- t.Fatalf("Unexpected returned a non-nil form: %v\n", f) ++ if err != nil { ++ t.Fatalf("ReadForm(MaxInt64): %v", err) + } +- if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) { +- t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w) ++ if f == nil { ++ t.Fatal("ReadForm(MaxInt64): missing form") + } + } + +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go +index 19526b9ad791a..689498e19d5dd 100644 +--- a/src/net/http/request_test.go ++++ b/src/net/http/request_test.go +@@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) { + t.Fatal(err) + } + res.Body.Close() +- if g, w := res.StatusCode, StatusBadRequest; g != w { ++ if g, w := res.StatusCode, StatusOK; g != w { + t.Fatalf("Status code mismatch: got %d, want %d", g, w) + } + } |