From c390a5e4851180c4a146d3db5ccf5203fd0e3c9d Mon Sep 17 00:00:00 2001 From: Craig Leres Date: Mon, 23 Sep 2024 13:28:33 -0700 Subject: [PATCH] www/pound: fix "out of memory" error Apply upstream commits to fix a regression in 4.13: https://github.com/graygnuorg/pound/commit/0208af3 Fix generation of X-SSL- headers describing client certificate https://github.com/graygnuorg/pound/commit/e900114 Add missing \r when breaking up a long header in add_ssl_headers() PR: 281255 Approved by: zeus@gnu.org.ua (maintainer timeout, 20 days) --- www/pound/Makefile | 1 + www/pound/files/patch-src_http.c | 189 +++++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 www/pound/files/patch-src_http.c diff --git a/www/pound/Makefile b/www/pound/Makefile index 9b0b5d2d690e..5ab59487d599 100644 --- a/www/pound/Makefile +++ b/www/pound/Makefile @@ -1,5 +1,6 @@ PORTNAME= pound PORTVERSION= 4.13 +PORTREVISION= 1 CATEGORIES= www net MASTER_SITES= https://github.com/graygnuorg/pound/releases/download/v${PORTVERSION}/ diff --git a/www/pound/files/patch-src_http.c b/www/pound/files/patch-src_http.c new file mode 100644 index 000000000000..0f80c3556466 --- /dev/null +++ b/www/pound/files/patch-src_http.c @@ -0,0 +1,189 @@ +--- src/http.c.orig 2024-08-20 06:46:04 UTC ++++ src/http.c +@@ -241,6 +241,14 @@ isws (int c) + { + return c == ' ' || c == '\t'; + } ++ ++static char const * ++trimwsl (char const *s) ++{ ++ while (*s && isws (*s)) ++ s++; ++ return s; ++} + + static int + submatch_realloc (struct submatch *sm, GENPAT re) +@@ -1162,7 +1170,7 @@ get_line (BIO *in, char *const buf, int bufsize) + case 0: + if (BIO_should_retry (in)) + continue; +- return COPY_EOF; ++ return i == 0 ? COPY_EOF : COPY_OK; + case -1: + return COPY_READ_ERR; + default: +@@ -1312,15 +1320,11 @@ get_content_length (char const *arg, int mode) + CONTENT_LENGTH n; + + if (mode == CL_HEADER) +- { +- while (isws (*arg)) +- arg++; +- } ++ arg = trimwsl (arg); + + if (strtoclen (arg, mode == CL_HEADER ? 10 : 16, &n, &p)) + return NO_CONTENT_LENGTH; +- while (isws (*p)) +- p++; ++ p = (char*) trimwsl (p); + if (*p) + { + if (!(mode == CL_CHUNK && *p == ';')) +@@ -3219,6 +3223,30 @@ static int + } + + static int ++set_header_from_bio (BIO *bio, struct http_request *req, ++ char const *hdr, struct stringbuf *sb) ++{ ++ char buf[MAXBUF]; ++ int rc; ++ char *str; ++ ++ if ((rc = get_line (bio, buf, sizeof (buf))) == COPY_OK) ++ { ++ stringbuf_reset (sb); ++ stringbuf_printf (sb, "%s: %s", hdr, trimwsl (buf)); ++ if ((str = stringbuf_finish (sb)) == NULL ++ || http_header_list_append (&req->headers, str, H_REPLACE)) ++ { ++ return -1; ++ } ++ } ++ else if (rc != COPY_EOF) ++ logmsg (LOG_ERR, "(%"PRItid") error reading data: %s", ++ POUND_TID (), copy_status_string (rc)); ++ return 0; ++} ++ ++static int + add_ssl_headers (POUND_HTTP *phttp) + { + int res = 0; +@@ -3248,72 +3276,40 @@ add_ssl_headers (POUND_HTTP *phttp) + if (phttp->lstn->clnt_check > 0 && phttp->x509 != NULL + && (bio = BIO_new (BIO_s_mem ())) != NULL) + { ++ int i; ++ ++ BIO_set_mem_eof_return (bio, 0); + X509_NAME_print_ex (bio, X509_get_subject_name (phttp->x509), 8, + XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB); +- if (get_line (bio, buf, sizeof (buf)) != COPY_OK) ++ if (set_header_from_bio (bio, &phttp->request, "X-SSL-Subject", &sb)) + { + res = -1; + goto end; + } + +- stringbuf_printf (&sb, "X-SSL-Subject: %s", buf); +- if ((str = stringbuf_finish (&sb)) == NULL +- || http_header_list_append (&phttp->request.headers, str, H_REPLACE)) +- { +- res = -1; +- goto end; +- } +- stringbuf_reset (&sb); +- + X509_NAME_print_ex (bio, X509_get_issuer_name (phttp->x509), 8, + XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB); +- if (get_line (bio, buf, sizeof (buf)) != COPY_OK) ++ if (set_header_from_bio (bio, &phttp->request, "X-SSL-Issuer", &sb)) + { + res = -1; + goto end; + } + +- stringbuf_printf (&sb, "X-SSL-Issuer: %s", buf); +- if ((str = stringbuf_finish (&sb)) == NULL +- || http_header_list_append (&phttp->request.headers, str, H_REPLACE)) +- { +- res = -1; +- goto end; +- } +- stringbuf_reset (&sb); +- + ASN1_TIME_print (bio, X509_get_notBefore (phttp->x509)); +- if (get_line (bio, buf, sizeof (buf)) != COPY_OK) ++ if (set_header_from_bio (bio, &phttp->request, "X-SSL-notBefore", &sb)) + { + res = -1; + goto end; + } + +- stringbuf_printf (&sb, "X-SSL-notBefore: %s", buf); +- if ((str = stringbuf_finish (&sb)) == NULL +- || http_header_list_append (&phttp->request.headers, str, H_REPLACE)) +- { +- res = -1; +- goto end; +- } +- stringbuf_reset (&sb); +- + ASN1_TIME_print (bio, X509_get_notAfter (phttp->x509)); +- if (get_line (bio, buf, sizeof (buf)) != COPY_OK) ++ if (set_header_from_bio (bio, &phttp->request, "X-SSL-notAfter", &sb)) + { + res = -1; + goto end; + } + +- stringbuf_printf (&sb, "X-SSL-notAfter: %s", buf); +- if ((str = stringbuf_finish (&sb)) == NULL +- || http_header_list_append (&phttp->request.headers, str, H_REPLACE)) +- { +- res = -1; +- goto end; +- } + stringbuf_reset (&sb); +- + stringbuf_printf (&sb, "X-SSL-serial: %ld", + ASN1_INTEGER_get (X509_get_serialNumber (phttp->x509))); + if ((str = stringbuf_finish (&sb)) == NULL +@@ -3326,9 +3322,13 @@ add_ssl_headers (POUND_HTTP *phttp) + + PEM_write_bio_X509 (bio, phttp->x509); + stringbuf_add_string (&sb, "X-SSL-certificate: "); ++ i = 0; + while (get_line (bio, buf, sizeof (buf)) == COPY_OK) + { ++ if (i > 0) ++ stringbuf_add_string (&sb, "\r\n\t"); + stringbuf_add_string (&sb, buf); ++ i++; + } + if ((str = stringbuf_finish (&sb)) == NULL + || http_header_list_append (&phttp->request.headers, str, H_REPLACE)) +@@ -3580,7 +3580,7 @@ http_response_validate (struct http_request *req) + static int + http_response_validate (struct http_request *req) + { +- char *str = req->request; ++ char const *str = req->request; + int http_ver; + + if (!(strncmp (str, "HTTP/1.", 7) == 0 && +@@ -3589,9 +3589,7 @@ http_response_validate (struct http_request *req) + return 0; + req->version = http_ver - '0'; + +- for (str += 8; isws (*str); str++) +- if (!*str) +- return 0; ++ str = trimwsl (str + 8); + + switch (str[0]) + {