diff --git a/repos/ports/ports/lighttpd.hash b/repos/ports/ports/lighttpd.hash index 9558e79b57..6ddda7c345 100644 --- a/repos/ports/ports/lighttpd.hash +++ b/repos/ports/ports/lighttpd.hash @@ -1 +1 @@ -bbd4b02e545e2ba95fffddf5411c44dbbdb75efe +a603d9dcba885cc5a3f264a4a21ea16294523d84 diff --git a/repos/ports/ports/lighttpd.port b/repos/ports/ports/lighttpd.port index db19934e60..73d1415d23 100644 --- a/repos/ports/ports/lighttpd.port +++ b/repos/ports/ports/lighttpd.port @@ -6,4 +6,4 @@ URL(lighttpd) := http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-$ SHA(lighttpd) := 816cbec71e8d02d874f1d5c798d76d091a76d5acbeb6e017ba76aeb4263d6995 DIR(lighttpd) := src/app/lighttpd -PATCHES := $(addprefix src/app/lighttpd/,fd_cloexec.patch mod_dirlisting.patch mod_webdav.patch no_o_nonblock.patch) +PATCHES := $(addprefix src/app/lighttpd/,fd_cloexec.patch invalid_fdarray_access.patch mod_dirlisting.patch mod_webdav.patch no_o_nonblock.patch) diff --git a/repos/ports/src/app/lighttpd/invalid_fdarray_access.patch b/repos/ports/src/app/lighttpd/invalid_fdarray_access.patch new file mode 100644 index 0000000000..f577504e16 --- /dev/null +++ b/repos/ports/src/app/lighttpd/invalid_fdarray_access.patch @@ -0,0 +1,32 @@ +The lighttpd code expects continous and constrained fd numbering as it +is directly used for accessing array elements. As our libc consumes +itself fds internally, e.g. socket_fs, overallocate the fdarray and add +check that limits used fds. +--- src/app/lighttpd/src/fdevent_impl.c ++++ src/app/lighttpd/src/fdevent_impl.c +@@ -188,6 +188,15 @@ + maxfds = (uint32_t)FD_SETSIZE - 200; + } + #endif ++ ++ if (maxfds > 63) { ++ maxfds = 63; ++ log_error(errh, __FILE__, __LINE__, ++ "%s: limit maxfds to %u to prevent " ++ "invalid array access", ++ __func__, maxfds); ++ } ++ + *max_fds = (int)maxfds; + ++maxfds; /*(+1 for event-handler fd)*/ + +@@ -195,7 +204,8 @@ + ev->errh = errh; + ev->cur_fds = cur_fds; + ev->event_handler = event_handler; +- ev->fdarray = ck_calloc(maxfds, sizeof(*ev->fdarray)); ++ /* over allocate fdarray and rely on the maxfds check above */ ++ ev->fdarray = ck_calloc(1024, sizeof(*ev->fdarray)); + ev->maxfds = maxfds; + + switch(type) {