*) SECURITY: CVE-2015-0228 (cve.mitre.org)

mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>] Discovered by Guido Vranken <guidovranken gmail.com> Submitted by: Edward Lu Committed by: covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2015-02-04 14:44:23 +00:00
parent 8f40799093
commit 78eb3b9235
2 changed files with 10 additions and 1 deletions
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
 {
    apr_socket_t *sock;
    apr_status_t rv;
+    int do_read = 1;
    int n = 0;
    apr_size_t len = 1;
    apr_size_t plen = 0;
@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
    mask_bytes = apr_pcalloc(r->pool, 4);
    sock = ap_get_conn_socket(r->connection);

+    while (do_read) { 
+    do_read = 0;
    /* Get opcode and FIN bit */
    if (plaintext) {
        rv = apr_socket_recv(sock, &byte, &len);
@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
                frame[0] = 0x8A;
                frame[1] = 0;
                apr_socket_send(sock, frame, &plen); /* Pong! */
-                lua_websocket_read(L); /* read the next frame instead */
+                do_read = 1;
            }
        }
    }
+    }
    return 0;
 }