1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: fix out-of-order 'finish' bug in pipelining

Browse Source 
Changes to `stream_base.cc` are required to support empty writes.
Fixes CVE-2015-7384, https://github.com/nodejs/node/issues/3138

Fix: https://github.com/nodejs/node/issues/2639
PR-URL: https://github.com/nodejs/node/pull/3128
This commit is contained in:
Fedor Indutny 2015-09-25 23:36:06 -04:00 committed by Rod Vagg
parent 342c3a1bbb
commit 05040664c2
3 changed files with 39 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/_http_outgoing.js
View File

@ -133,12 +133,6 @@ OutgoingMessage.prototype._writeRaw = function(data, encoding, callback) {
encoding = null; encoding = null;
} }
if (data.length === 0) {
if (typeof callback === 'function')
process.nextTick(callback);
return true;
}
var connection = this.connection; var connection = this.connection;
if (connection && if (connection &&
connection._httpMessage === this && connection._httpMessage === this &&
@ -158,6 +152,10 @@ OutgoingMessage.prototype._writeRaw = function(data, encoding, callback) {
this.output = []; this.output = [];
this.outputEncodings = []; this.outputEncodings = [];
this.outputCallbacks = []; this.outputCallbacks = [];
} else if (data.length === 0) {
if (typeof callback === 'function')
process.nextTick(callback);
return true;
} }
// Directly write to socket. // Directly write to socket.

2
src/stream_base.cc
View File

@ -154,7 +154,7 @@ int StreamBase::Writev(const FunctionCallbackInfo<Value>& args) {
// Write string // Write string
offset = ROUND_UP(offset, WriteWrap::kAlignSize); offset = ROUND_UP(offset, WriteWrap::kAlignSize);
CHECK_LT(offset, storage_size); CHECK_LE(offset, storage_size);
char* str_storage = req_wrap->Extra(offset); char* str_storage = req_wrap->Extra(offset);
size_t str_size = storage_size - offset; size_t str_size = storage_size - offset;

34
test/parallel/test-http-pipeline-regr-2639.js Normal file
View File

@ -0,0 +1,34 @@
'use strict';
const common = require('../common');
const assert = require('assert');
const http = require('http');
const net = require('net');
const COUNT = 10;
var received = 0;
var server = http.createServer(function(req, res) {
// Close the server, we have only one TCP connection anyway
if (received++ === 0)
server.close();
res.writeHead(200);
res.write('data');
setTimeout(function() {
res.end();
}, (Math.random() * 100) | 0);
}).listen(common.PORT, function() {
const s = net.connect(common.PORT);
var big = '';
for (var i = 0; i < COUNT; i++)
big += 'GET / HTTP/1.0\r\n\r\n';
s.write(big);
s.resume();
});
process.on('exit', function() {
assert.equal(received, COUNT);
});