mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
Discovered by Guido Vranken <guidovranken gmail.com>
Submitted by: Edward Lu
Committed by: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@
1657261 13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
*) mod_lua: After a r:wsupgrade(), mod_lua was not properly
responding to a websockets PING but instead invoking the specified
script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
{
apr_socket_t *sock;
apr_status_t rv;
+ int do_read = 1;
int n = 0;
apr_size_t len = 1;
apr_size_t plen = 0;
mask_bytes = apr_pcalloc(r->pool, 4);
sock = ap_get_conn_socket(r->connection);
+ while (do_read) {
+ do_read = 0;
/* Get opcode and FIN bit */
if (plaintext) {
rv = apr_socket_recv(sock, &byte, &len);
frame[0] = 0x8A;
frame[1] = 0;
apr_socket_send(sock, frame, &plen); /* Pong! */
- lua_websocket_read(L); /* read the next frame instead */
+ do_read = 1;
}
}
}
+ }
return 0;
}
projects / apache / commitdiff