From: Eric Covener Date: Wed, 4 Feb 2015 14:44:23 +0000 (+0000) Subject: *) SECURITY: CVE-2015-0228 (cve.mitre.org) X-Git-Tag: 2.5.0-alpha~3483 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=78eb3b9235515652ed141353d98c239237030410;p=apache *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. [Edward Lu ] Discovered by Guido Vranken Submitted by: Edward Lu Committed by: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index aa79dac9c6..02141ef5bd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) SECURITY: CVE-2015-0228 (cve.mitre.org) + mod_lua: A maliciously crafted websockets PING after a script + calls r:wsupgrade() can cause a child process crash. + [Edward Lu ] + *) mod_lua: After a r:wsupgrade(), mod_lua was not properly responding to a websockets PING but instead invoking the specified script. PR57524. [Edward Lu ] diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c index dded599a4c..1200c55b35 100644 --- a/modules/lua/lua_request.c +++ b/modules/lua/lua_request.c @@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L) { apr_socket_t *sock; apr_status_t rv; + int do_read = 1; int n = 0; apr_size_t len = 1; apr_size_t plen = 0; @@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L) mask_bytes = apr_pcalloc(r->pool, 4); sock = ap_get_conn_socket(r->connection); + while (do_read) { + do_read = 0; /* Get opcode and FIN bit */ if (plaintext) { rv = apr_socket_recv(sock, &byte, &len); @@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L) frame[0] = 0x8A; frame[1] = 0; apr_socket_send(sock, frame, &plen); /* Pong! */ - lua_websocket_read(L); /* read the next frame instead */ + do_read = 1; } } } + } return 0; }