From 2311d54ec4a2320505750655c2c3fb4c525e0872 Mon Sep 17 00:00:00 2001
From: "niranjan.reddy" <niranjan.reddy@rockwellcollins.com>
Date: Tue, 1 Mar 2016 11:51:56 +0530
Subject: [PATCH] libfcgi:add security patch for CVE-2012-6687

Fix-CVE-2012-6687 - remote attackers cause a denial of service (crash)
via a large number of connections (http://www.cvedetails.com/cve/CVE-2012-6687/).
use poll in os_unix.c instead of select to avoid problem with > 1024 connections.
The patch libfcgi_2.4.0-8.3.debian.tar.xz is taken from the below link:
(https://launchpad.net/ubuntu/+source/libfcgi/2.4.0-8.3)
The next release of libfcgi is 2.4.1 which may have this fix is yet to be released
officially.

Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libfcgi/0006-fix-CVE-2012-6687.patch | 104 +++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 package/libfcgi/0006-fix-CVE-2012-6687.patch

diff --git a/package/libfcgi/0006-fix-CVE-2012-6687.patch b/package/libfcgi/0006-fix-CVE-2012-6687.patch
new file mode 100644
index 0000000000..10d33ed58d
--- /dev/null
+++ b/package/libfcgi/0006-fix-CVE-2012-6687.patch
@@ -0,0 +1,104 @@
+libfcgi:add security patch for CVE-2012-6687
+CVE-2012-6687 - remote attackers cause a denial of service (crash) via a large number 
+of connections (http://www.cvedetails.com/cve/CVE-2012-6687/).
+Fix:use poll in os_unix.c instead of select to avoid problem with > 1024 connections.
+This patch libfcgi_2.4.0-8.3.debian.tar.xz is pulled from the below link:
+(https://launchpad.net/ubuntu/+source/libfcgi/2.4.0-8.3)
+The next release of libfcgi is 2.4.1 which may have this fix is yet to be released 
+officially.
+
+Signed-off-by: Anton Kortunov <toshic.toshic@gmail.com>
+Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
+
+Index: b/libfcgi/os_unix.c
+===================================================================
+--- a/libfcgi/os_unix.c
++++ b/libfcgi/os_unix.c
+@@ -42,6 +42,7 @@
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <signal.h>
++#include <poll.h>
+ 
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+@@ -103,6 +104,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+ 
++static int libfcgiOsClosePollTimeout = 2000;
++static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
++
+ void OS_ShutdownPending()
+ {
+     shutdownPending = TRUE;
+@@ -168,6 +172,16 @@
+     if(libInitialized)
+         return 0;
+ 
++    char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
++    if(libfcgiOsClosePollTimeoutStr) {
++        libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
++    }
++
++    char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
++    if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
++        libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
++    }
++
+     asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+     if(asyncIoTable == NULL) {
+         errno = ENOMEM;
+@@ -755,19 +769,16 @@
+ 
+     if (shutdown(fd, 1) == 0)
+     {
+-        struct timeval tv;
+-        fd_set rfds;
++        struct pollfd pfd;
+         int rv;
+         char trash[1024];
+ 
+-        FD_ZERO(&rfds);
++        pfd.fd = fd;
++        pfd.events = POLLIN;
+ 
+         do 
+         {
+-            FD_SET(fd, &rfds);
+-            tv.tv_sec = 2;
+-            tv.tv_usec = 0;
+-            rv = select(fd + 1, &rfds, NULL, NULL, &tv);
++            rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+         }
+         while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+     }
+@@ -1116,13 +1127,11 @@
+  */
+ static int is_af_unix_keeper(const int fd)
+ {
+-    struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+-    fd_set read_fds;
+-
+-    FD_ZERO(&read_fds);
+-    FD_SET(fd, &read_fds);
++    struct pollfd pfd;
++    pfd.fd = fd;
++    pfd.events = POLLIN;
+ 
+-    return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
++    return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+ 
+ /*
+
+Index: b/examples/Makefile.am
+===================================================================
+--- a/examples/Makefile.am
++++ b/examples/Makefile.am
+@@ -34,5 +34,5 @@ threaded_CFLAGS    = @PTHREAD_CFLAGS@
+ threaded_LDFLAGS   = @PTHREAD_CFLAGS@ @PTHREAD_LIBS@
+ 
+ echo_cpp_SOURCES = $(INCLUDE_FILES) $(INCLUDEDIR)/fcgio.h echo-cpp.cpp
+-echo_cpp_LDADD   = $(LIBDIR)/libfcgi++.la
++echo_cpp_LDADD   = $(LIBDIR)/libfcgi++.la $(LIBDIR)/libfcgi.la
-- 
2.30.2