www/h2o: Fix Use-after-free vulnerability

- Fix duplicate PORTREVISION assignment - Register OpenSSL dependency when LIBRESSL is OFF PR: 215587 Submitted by: Dave Cottlehuber <dch@skunkwerks.at> (maintainer) MFH: 2016Q4 Security: d0b12952-cb86-11e6-906f-0cc47a065786 Security: CVE-2016-7835
author: brnrd <brnrd@FreeBSD.org> 2016-12-29 21:24:00 +0800
committer: brnrd <brnrd@FreeBSD.org> 2016-12-29 21:24:00 +0800
commit: 860c71b5aa885c0ae04a7a07639e21be38333c1d (patch)
tree: 50fde3a8dba4198cdbb15d42b2b96c6836da3adb /www
parent: c8f0d485840c1e70ece62970ba7c091c644cc6bd (diff)
download: freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.tar.gz
freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.tar.zst
freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.zip
3 files changed, 157 insertions, 2 deletions
diff --git a/www/h2o/Makefile b/www/h2o/Makefile
index 7786227b2586..95d408f2e463 100644
--- a/www/h2o/Makefile
+++ b/www/h2o/Makefile
@@ -3,9 +3,8 @@
 
 PORTNAME=	h2o
 PORTVERSION=	2.0.4
-PORTREVISION=	1
+PORTREVISION=	2
 DISTVERSIONPREFIX=	v
-PORTREVISION=	1
 CATEGORIES=	www
 
 MAINTAINER=	dch@skunkwerks.at
@@ -49,6 +48,7 @@ CMAKE_ARGS+=	-DEXTRA_LIBRARIES=OFF -DWITHOUT_LIBS=ON
 
 LIBRESSL_CMAKE_ON=	-DWITH_BUNDLED_SSL=ON
 LIBRESSL_CMAKE_OFF=	-DWITH_BUNDLED_SSL=OFF
+LIBRESSL_USES_OFF=	ssl
 MRUBY_CMAKE_ON=		-DWITH_MRUBY=ON
 MRUBY_CMAKE_OFF=		-DWITH_MRUBY=OFF
 
diff --git a/www/h2o/files/patch-lib_core_request.c b/www/h2o/files/patch-lib_core_request.c
new file mode 100644
index 000000000000..789c2cd173ee
--- /dev/null
+++ b/www/h2o/files/patch-lib_core_request.c
@@ -0,0 +1,145 @@
+--- lib/core/request.c.orig	2016-09-13 06:57:03 UTC
++++ lib/core/request.c
+@@ -31,21 +31,24 @@
+ 
+ #define INITIAL_INBUFSZ 8192
+ 
+-struct st_delegate_request_deferred_t {
++struct st_deferred_request_action_t {
++    h2o_timeout_entry_t timeout;
+     h2o_req_t *req;
++};
++
++struct st_delegate_request_deferred_t {
++    struct st_deferred_request_action_t super;
+     h2o_handler_t *current_handler;
+-    h2o_timeout_entry_t _timeout;
+ };
+ 
+ struct st_reprocess_request_deferred_t {
+-    h2o_req_t *req;
++    struct st_deferred_request_action_t super;
+     h2o_iovec_t method;
+     const h2o_url_scheme_t *scheme;
+     h2o_iovec_t authority;
+     h2o_iovec_t path;
+     h2o_req_overrides_t *overrides;
+     int is_delegated;
+-    h2o_timeout_entry_t _timeout;
+ };
+ 
+ struct st_send_error_deferred_t {
+@@ -57,6 +60,21 @@ struct st_send_error_deferred_t {
+     h2o_timeout_entry_t _timeout;
+ };
+ 
++static void on_deferred_action_dispose(void *_action)
++{
++    struct st_deferred_request_action_t *action = _action;
++    if (h2o_timeout_is_linked(&action->timeout))
++        h2o_timeout_unlink(&action->timeout);
++}
++
++static struct st_deferred_request_action_t *create_deferred_action(h2o_req_t *req, size_t sz, h2o_timeout_cb cb)
++{
++    struct st_deferred_request_action_t *action = h2o_mem_alloc_shared(&req->pool, sz, on_deferred_action_dispose);
++    *action = (struct st_deferred_request_action_t){{0, cb}, req};
++    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &action->timeout);
++    return action;
++}
++
+ static h2o_hostconf_t *find_hostconf(h2o_hostconf_t **hostconfs, h2o_iovec_t authority, uint16_t default_port)
+ {
+     h2o_iovec_t hostname;
+@@ -205,6 +223,7 @@ void h2o_init_request(h2o_req_t *req, h2
+     req->preferred_chunk_size = SIZE_MAX;
+ 
+     if (src != NULL) {
++        size_t i;
+ #define COPY(buf)                                                                                                                  \
+     do {                                                                                                                           \
+         req->buf.base = h2o_mem_alloc_pool(&req->pool, src->buf.len);                                                              \
+@@ -216,9 +235,6 @@ void h2o_init_request(h2o_req_t *req, h2
+         COPY(input.path);
+         req->input.scheme = src->input.scheme;
+         req->version = src->version;
+-        h2o_vector_reserve(&req->pool, &req->headers, src->headers.size);
+-        memcpy(req->headers.entries, src->headers.entries, sizeof(req->headers.entries[0]) * src->headers.size);
+-        req->headers.size = src->headers.size;
+         req->entity = src->entity;
+         req->http1_is_persistent = src->http1_is_persistent;
+         req->timestamps = src->timestamps;
+@@ -229,8 +245,19 @@ void h2o_init_request(h2o_req_t *req, h2
+             req->upgrade.len = 0;
+         }
+ #undef COPY
++        h2o_vector_reserve(&req->pool, &req->headers, src->headers.size);
++        req->headers.size = src->headers.size;
++        for (i = 0; i != src->headers.size; ++i) {
++            h2o_header_t *dst_header = req->headers.entries + i, *src_header = src->headers.entries + i;
++            if (h2o_iovec_is_token(src_header->name)) {
++                dst_header->name = src_header->name;
++            } else {
++                dst_header->name = h2o_mem_alloc_pool(&req->pool, sizeof(*dst_header->name));
++                *dst_header->name = h2o_strdup(&req->pool, src_header->name->base, src_header->name->len);
++            }
++            dst_header->value = h2o_strdup(&req->pool, src_header->value.base, src_header->value.len);
++        }
+         if (src->env.size != 0) {
+-            size_t i;
+             h2o_vector_reserve(&req->pool, &req->env, src->env.size);
+             req->env.size = src->env.size;
+             for (i = 0; i != req->env.size; ++i)
+@@ -276,16 +303,16 @@ void h2o_delegate_request(h2o_req_t *req
+ 
+ static void on_delegate_request_cb(h2o_timeout_entry_t *entry)
+ {
+-    struct st_delegate_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, _timeout, entry);
+-    h2o_delegate_request(args->req, args->current_handler);
++    struct st_delegate_request_deferred_t *args =
++        H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, super.timeout, entry);
++    h2o_delegate_request(args->super.req, args->current_handler);
+ }
+ 
+ void h2o_delegate_request_deferred(h2o_req_t *req, h2o_handler_t *current_handler)
+ {
+-    struct st_delegate_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args));
+-    *args = (struct st_delegate_request_deferred_t){req, current_handler};
+-    args->_timeout.cb = on_delegate_request_cb;
+-    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout);
++    struct st_delegate_request_deferred_t *args =
++        (struct st_delegate_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_delegate_request_cb);
++    args->current_handler = current_handler;
+ }
+ 
+ void h2o_reprocess_request(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority,
+@@ -335,17 +362,23 @@ void h2o_reprocess_request(h2o_req_t *re
+ 
+ static void on_reprocess_request_cb(h2o_timeout_entry_t *entry)
+ {
+-    struct st_reprocess_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, _timeout, entry);
+-    h2o_reprocess_request(args->req, args->method, args->scheme, args->authority, args->path, args->overrides, args->is_delegated);
++    struct st_reprocess_request_deferred_t *args =
++        H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, super.timeout, entry);
++    h2o_reprocess_request(args->super.req, args->method, args->scheme, args->authority, args->path, args->overrides,
++                          args->is_delegated);
+ }
+ 
+ void h2o_reprocess_request_deferred(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority,
+                                     h2o_iovec_t path, h2o_req_overrides_t *overrides, int is_delegated)
+ {
+-    struct st_reprocess_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args));
+-    *args = (struct st_reprocess_request_deferred_t){req, method, scheme, authority, path, overrides, is_delegated};
+-    args->_timeout.cb = on_reprocess_request_cb;
+-    h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout);
++    struct st_reprocess_request_deferred_t *args =
++        (struct st_reprocess_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_reprocess_request_cb);
++    args->method = method;
++    args->scheme = scheme;
++    args->authority = authority;
++    args->path = path;
++    args->overrides = overrides;
++    args->is_delegated = is_delegated;
+ }
+ 
+ void h2o_start_response(h2o_req_t *req, h2o_generator_t *generator)
diff --git a/www/h2o/files/patch-lib_http2_connection.c b/www/h2o/files/patch-lib_http2_connection.c
new file mode 100644
index 000000000000..1c8cd2864c3a
--- /dev/null
+++ b/www/h2o/files/patch-lib_http2_connection.c
@@ -0,0 +1,10 @@
+--- lib/http2/connection.c.orig	2016-09-13 06:57:03 UTC
++++ lib/http2/connection.c
+@@ -1329,6 +1329,7 @@ int h2o_http2_handle_upgrade(h2o_req_t *
+ 
+     return 0;
+ Error:
++    h2o_linklist_unlink(&http2conn->_conns);
+     free(http2conn);
+     return -1;
+ }
author	brnrd <brnrd@FreeBSD.org>	2016-12-29 21:24:00 +0800
committer	brnrd <brnrd@FreeBSD.org>	2016-12-29 21:24:00 +0800
commit	860c71b5aa885c0ae04a7a07639e21be38333c1d (patch)
tree	50fde3a8dba4198cdbb15d42b2b96c6836da3adb /www
parent	c8f0d485840c1e70ece62970ba7c091c644cc6bd (diff)
download	freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.tar.gz freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.tar.zst freebsd-ports-gnome-860c71b5aa885c0ae04a7a07639e21be38333c1d.zip