haproxy/CVE-2024-53008-2.patch

From 6748a47819c263d4631187b6f121b5344ab50d57 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 28 Jun 2024 10:50:19 +0200
Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally
 valid
Origin: https://github.com/haproxy/haproxy/commit/6748a47819c263d4631187b6f121b5344ab50d57

Ensure pseudo-header scheme is only constitued of valid characters
according to RFC 9110. If an invalid value is found, the request is
rejected and stream is resetted.

It's the same as for previous commit "BUG/MEDIUM: h3: ensure the
":method" pseudo header is totally valid" except that this time it
applies to the ":scheme" pseudo header.

This must be backported up to 2.6.

(cherry picked from commit a3bed52d1f84ba36af66be4317a5f746d498bdf4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5ddc4004cb0c3c4ea4f4596577c85f004678e9c0)
[cf: adapted]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/h3.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/h3.c b/src/h3.c
index 4e21f6b92f535..1984f984f7daf 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -666,6 +666,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 				len = -1;
 				goto out;
 			}
+
+			if (!http_validate_scheme(list[hdr_idx].v)) {
+				TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+				h3s->err = H3_MESSAGE_ERROR;
+				len = -1;
+				goto out;
+			}
+
 			scheme = list[hdr_idx].v;
 		}
 		else if (isteq(list[hdr_idx].n, ist(":authority"))) {
Fix CVE-2024-53008 2024-12-10 10:27:43 +08:00			`From 6748a47819c263d4631187b6f121b5344ab50d57 Mon Sep 17 00:00:00 2001`
			`From: Amaury Denoyelle <adenoyelle@haproxy.com>`
			`Date: Fri, 28 Jun 2024 10:50:19 +0200`
			`Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally`
			`valid`
			`Origin: https://github.com/haproxy/haproxy/commit/6748a47819c263d4631187b6f121b5344ab50d57`

			`Ensure pseudo-header scheme is only constitued of valid characters`
			`according to RFC 9110. If an invalid value is found, the request is`
			`rejected and stream is resetted.`

			`It's the same as for previous commit "BUG/MEDIUM: h3: ensure the`
			`":method" pseudo header is totally valid" except that this time it`
			`applies to the ":scheme" pseudo header.`

			`This must be backported up to 2.6.`

			`(cherry picked from commit a3bed52d1f84ba36af66be4317a5f746d498bdf4)`
			`Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>`
			`(cherry picked from commit 5ddc4004cb0c3c4ea4f4596577c85f004678e9c0)`
			`[cf: adapted]`
			`Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>`
			`---`
			`src/h3.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/src/h3.c b/src/h3.c`
			`index 4e21f6b92f535..1984f984f7daf 100644`
			`--- a/src/h3.c`
			`+++ b/src/h3.c`
			`@@ -666,6 +666,14 @@ static ssize_t h3_headers_to_htx(struct qcs qcs, const struct buffer buf,`
			`len = -1;`
			`goto out;`
			`}`
			`+`
			`+ if (!http_validate_scheme(list[hdr_idx].v)) {`
			`+ TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME\|H3_EV_RX_HDR, qcs->qcc->conn, qcs);`
			`+ h3s->err = H3_MESSAGE_ERROR;`
			`+ len = -1;`
			`+ goto out;`
			`+ }`
			`+`
			`scheme = list[hdr_idx].v;`
			`}`
			`else if (isteq(list[hdr_idx].n, ist(":authority"))) {`