pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/lighttpd Fix a potential DOS when using SSL. Bump ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/b1a35f09b145
branches: trunk
changeset: 541784:b1a35f09b145
user: joerg <joerg%pkgsrc.org@localhost>
date: Fri Apr 25 19:58:17 2008 +0000
description:
Fix a potential DOS when using SSL. Bump revision.
diffstat:
www/lighttpd/distinfo | 4 +-
www/lighttpd/patches/patch-aa | 69 +++++++++++++++++++++++++++++++++++++++++++
www/lighttpd/patches/patch-ac | 22 +++++++++++++
3 files changed, 94 insertions(+), 1 deletions(-)
diffs (112 lines):
diff -r 85fd7d75bfc3 -r b1a35f09b145 www/lighttpd/distinfo
--- a/www/lighttpd/distinfo Fri Apr 25 19:57:16 2008 +0000
+++ b/www/lighttpd/distinfo Fri Apr 25 19:58:17 2008 +0000
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.13 2008/03/15 10:53:50 joerg Exp $
+$NetBSD: distinfo,v 1.14 2008/04/25 19:58:17 joerg Exp $
SHA1 (lighttpd-1.4.19.tar.gz) = 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
RMD160 (lighttpd-1.4.19.tar.gz) = 7dbe2a22051e18f4037b48ee4811e2c9738d20cf
Size (lighttpd-1.4.19.tar.gz) = 815568 bytes
+SHA1 (patch-aa) = 4e3a6bf761bc0e0b8b2ff75fbec739d2cad145ab
SHA1 (patch-ab) = b02003db1b2ac978846eb0f7be178b91f59fc176
+SHA1 (patch-ac) = eca334f430362b2095727e28b9cc15f757fd440d
diff -r 85fd7d75bfc3 -r b1a35f09b145 www/lighttpd/patches/patch-aa
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lighttpd/patches/patch-aa Fri Apr 25 19:58:17 2008 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-aa,v 1.9 2008/04/25 19:58:17 joerg Exp $
+
+From SVN: Fix potential DOS by clearing SSL error queue.
+
+--- src/connections.c.orig 2008-04-25 18:28:26.000000000 +0200
++++ src/connections.c
+@@ -199,6 +199,7 @@ static int connection_handle_read_ssl(se
+
+ /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+
++ ERR_clear_error();
+ do {
+ if (!con->ssl_error_want_reuse_buffer) {
+ b = buffer_init();
+@@ -1668,19 +1669,47 @@ int connection_state_machine(server *srv
+ }
+ #ifdef USE_OPENSSL
+ if (srv_sock->is_ssl) {
+- int ret;
++ int ret, ssl_r;
++ unsigned long err;
++ ERR_clear_error();
+ switch ((ret = SSL_shutdown(con->ssl))) {
+ case 1:
+ /* ok */
+ break;
+ case 0:
+- SSL_shutdown(con->ssl);
+- break;
++ ERR_clear_error();
++ if (-1 != (ret = SSL_shutdown(con->ssl))) break;
++
++ // fall through
+ default:
+- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+- SSL_get_error(con->ssl, ret),
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
++
++ switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++ case SSL_ERROR_WANT_WRITE:
++ case SSL_ERROR_WANT_READ:
++ break;
++ case SSL_ERROR_SYSCALL:
++ /* perhaps we have error waiting in our error-queue */
++ if (0 != (err = ERR_get_error())) {
++ do {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ } while ((err = ERR_get_error()));
++ } else {
++ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++ ssl_r, r, errno,
++ strerror(errno));
++ }
++ break;
++
++ default:
++ while ((err = ERR_get_error())) {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ }
++ break;
++ }
+ }
+ }
+ #endif
diff -r 85fd7d75bfc3 -r b1a35f09b145 www/lighttpd/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lighttpd/patches/patch-ac Fri Apr 25 19:58:17 2008 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-ac,v 1.5 2008/04/25 19:58:17 joerg Exp $
+
+From SVN: Fix potential DOS by clearing SSL error queue.
+
+--- src/network_openssl.c.orig 2008-04-25 18:29:42.000000000 +0200
++++ src/network_openssl.c
+@@ -85,6 +85,7 @@ int network_write_chunkqueue_openssl(ser
+ *
+ */
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ unsigned long err;
+
+@@ -187,6 +188,7 @@ int network_write_chunkqueue_openssl(ser
+
+ close(ifd);
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ unsigned long err;
+
Home |
Main Index |
Thread Index |
Old Index