Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 261735 Details for
Bug 353955
<net-misc/stunnel-4.35: file descriptor leaks
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
stunnel-4.35-xforwarded-for.diff
stunnel-4.35-xforwarded-for.diff (text/plain), 10.85 KB, created by
Stefan Behte (RETIRED)
on 2011-02-07 16:37:32 UTC
(
hide
)
Description:
stunnel-4.35-xforwarded-for.diff
Filename:
MIME Type:
Creator:
Stefan Behte (RETIRED)
Created:
2011-02-07 16:37:32 UTC
Size:
10.85 KB
patch
obsolete
>--- stunnel-4.35/doc/stunnel.fr.8.ori 2011-02-07 17:21:07.000000000 +0100 >+++ stunnel-4.35-xforwarded-for/doc/stunnel.fr.8 2011-02-07 17:21:31.000000000 +0100 >@@ -394,6 +394,10 @@ > .IP "\fBTIMEOUTidle\fR = secondes" 4 > .IX Item "TIMEOUTidle = secondes" > Durée d'attente sur une connexion inactive >+.IP "\fBxforwardedfor\fR = yes | no" 4 >+.IX Item "xforwardedfor = yes | no" >+Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant >+au serveur l'adresse IP du client. > .IP "\fBtransparent\fR = yes | no (Unix seulement)" 4 > .IX Item "transparent = yes | no (Unix seulement)" > Mode mandataire transparent >diff -ru stunnel-4.35/doc/stunnel.8 stunnel-4.35-xforwarded-for/doc/stunnel.8 >--- stunnel-4.35/doc/stunnel.8 2010-09-15 09:11:21.000000000 +0200 >+++ stunnel-4.35-xforwarded-for/doc/stunnel.8 2010-12-06 21:56:08.770829792 +0100 >@@ -527,6 +527,10 @@ > .IP "\fBTIMEOUTidle\fR = seconds" 4 > .IX Item "TIMEOUTidle = seconds" > time to keep an idle connection >+.IP "\fBxforwardedfor\fR = yes | no" 4 >+.IX Item "xforwardedfor = yes | no" >+append an 'X-Forwarded-For:' HTTP request header providing the >+client's IP address to the server. > .IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4 > .IX Item "transparent = none | source | destination | both (Unix only)" > enable transparent proxy support on selected platforms >diff -ru stunnel-4.35/src/client.c stunnel-4.35-xforwarded-for/src/client.c >--- stunnel-4.35/src/client.c 2010-09-14 17:03:43.000000000 +0200 >+++ stunnel-4.35-xforwarded-for/src/client.c 2010-12-06 21:56:08.770829792 +0100 >@@ -84,6 +84,12 @@ > return NULL; > } > c->opt=opt; >+ /* some options need space to add some information */ >+ if (c->opt->option.xforwardedfor) >+ c->buffsize = BUFFSIZE - BUFF_RESERVED; >+ else >+ c->buffsize = BUFFSIZE; >+ c->crlf_seen=0; > c->local_rfd.fd=rfd; > c->local_wfd.fd=wfd; > return c; >@@ -372,6 +378,28 @@ > } > } > >+/* Moves all data from the buffer <buffer> between positions <start> and <stop> >+ * to insert <string> of length <len>. <start> and <stop> are updated to their >+ * new respective values, and the number of characters inserted is returned. >+ * If <len> is too long, nothing is done and -1 is returned. >+ * Note that neither <string> nor <buffer> can be NULL. >+ */ >+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { >+ if (len > limit - *stop) >+ return -1; >+ if (*start > *stop) >+ return -1; >+ memmove(buffer + *start + len, buffer + *start, *stop - *start); >+ memcpy(buffer + *start, string, len); >+ *start += len; >+ *stop += len; >+ return len; >+} >+ >+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { >+ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); >+} >+ > /****************************** transfer data */ > static void transfer(CLI *c) { > int watchdog=0; /* a counter to detect an infinite loop */ >@@ -390,7 +418,7 @@ > do { /* main loop of client data transfer */ > /****************************** initialize *_wants_* */ > read_wants_read= >- ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write; >+ ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write; > write_wants_write= > ssl_open_wr && c->sock_ptr && !write_wants_read; > >@@ -399,7 +427,7 @@ > /* for plain socket open data strem = open file descriptor */ > /* make sure to add each open socket to receive exceptions! */ > if(sock_open_rd) >- s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0); >+ s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0); > if(sock_open_wr) > s_poll_add(&c->fds, c->sock_wfd->fd, 0, c->ssl_ptr); > /* for SSL assume that sockets are open if there any pending requests */ >@@ -531,7 +559,7 @@ > /****************************** read from socket */ > if(sock_open_rd && sock_can_rd) { > num=readsocket(c->sock_rfd->fd, >- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); >+ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); > switch(num) { > case -1: > parse_socket_error(c, "readsocket"); >@@ -567,7 +595,7 @@ > /****************************** update *_wants_* based on new *_ptr */ > /* this update is also required for SSL_pending() to be used */ > read_wants_read= >- ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write; >+ ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write; > write_wants_write= > ssl_open_wr && c->sock_ptr && !write_wants_read; > >@@ -577,10 +605,71 @@ > * writesocket() above made some room in c->ssl_buff */ > (read_wants_write && ssl_can_wr)) { > read_wants_write=0; >- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); >+ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); > switch(err=SSL_get_error(c->ssl, num)) { > case SSL_ERROR_NONE: >- c->ssl_ptr+=num; >+ if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */ >+ int last = c->ssl_ptr; >+ c->ssl_ptr += num; >+ >+ /* Look for end of HTTP headers between last and ssl_ptr. >+ * To achieve this reliably, we have to count the number of >+ * successive [CR]LF and to memorize it in case it's spread >+ * over multiple segments. --WT. >+ */ >+ while (last < c->ssl_ptr) { >+ if (c->ssl_buff[last] == '\n') { >+ if (++c->crlf_seen == 2) >+ break; >+ } else if (last < c->ssl_ptr - 1 && >+ c->ssl_buff[last] == '\r' && >+ c->ssl_buff[last+1] == '\n') { >+ if (++c->crlf_seen == 2) >+ break; >+ last++; >+ } else if (c->ssl_buff[last] != '\r') >+ /* don't refuse '\r' because we may get a '\n' on next read */ >+ c->crlf_seen = 0; >+ last++; >+ } >+ if (c->crlf_seen >= 2) { >+ /* We have all the HTTP headers now. We don't need to >+ * reserve any space anymore. <ssl_ptr> points to the >+ * first byte of unread data, and <last> points to the >+ * exact location where we want to insert our headers, >+ * which is right before the empty line. >+ */ >+ c->buffsize = BUFFSIZE; >+ >+ if (c->opt->option.xforwardedfor) { >+ /* X-Forwarded-For: xxxx \r\n\0 */ >+ char xforw[17 + IPLEN + 3]; >+ >+ /* We will insert our X-Forwarded-For: header here. >+ * We need to write the IP address, but if we use >+ * sprintf, it will pad with the terminating 0. >+ * So we will pass via a temporary buffer allocated >+ * on the stack. >+ */ >+ memcpy(xforw, "X-Forwarded-For: ", 17); >+ if (getnameinfo(&c->peer_addr.addr[0].sa, >+ addr_len(c->peer_addr.addr[0]), >+ xforw + 17, IPLEN, NULL, 0, >+ NI_NUMERICHOST) == 0) { >+ strcat(xforw + 17, "\r\n"); >+ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, >+ c->buffsize, xforw); >+ } >+ /* last still points to the \r\n and ssl_ptr to the >+ * end of the buffer, so we may add as many headers >+ * as wee need to. >+ */ >+ } >+ } >+ } >+ else >+ c->ssl_ptr+=num; >+ > watchdog=0; /* reset watchdog */ > break; > case SSL_ERROR_WANT_WRITE: >diff -ru stunnel-4.35/src/common.h stunnel-4.35-xforwarded-for/src/common.h >--- stunnel-4.35/src/common.h 2010-09-14 17:00:36.000000000 +0200 >+++ stunnel-4.35-xforwarded-for/src/common.h 2010-12-06 21:56:08.770829792 +0100 >@@ -53,6 +53,9 @@ > /* I/O buffer size */ > #define BUFFSIZE 16384 > >+/* maximum space reserved for header insertion in BUFFSIZE */ >+#define BUFF_RESERVED 1024 >+ > /* length of strings (including the terminating '\0' character) */ > /* it can't be lower than 256 bytes or NTLM authentication will break */ > #define STRLEN 256 >diff -ru stunnel-4.35/src/options.c stunnel-4.35-xforwarded-for/src/options.c >--- stunnel-4.35/src/options.c 2010-09-14 17:09:36.000000000 +0200 >+++ stunnel-4.35-xforwarded-for/src/options.c 2010-12-06 21:56:08.774829832 +0100 >@@ -818,6 +818,29 @@ > } > #endif > >+ /* xforwardedfor */ >+ switch(cmd) { >+ case CMD_INIT: >+ section->option.xforwardedfor=0; >+ break; >+ case CMD_EXEC: >+ if(strcasecmp(opt, "xforwardedfor")) >+ break; >+ if(!strcasecmp(arg, "yes")) >+ section->option.xforwardedfor=1; >+ else if(!strcasecmp(arg, "no")) >+ section->option.xforwardedfor=0; >+ else >+ return "argument should be either 'yes' or 'no'"; >+ return NULL; /* OK */ >+ case CMD_DEFAULT: >+ break; >+ case CMD_HELP: >+ s_log(LOG_NOTICE, "%-15s = yes|no append an HTTP X-Forwarded-For header", >+ "xforwardedfor"); >+ break; >+ } >+ > /* exec */ > switch(cmd) { > case CMD_INIT: >diff -ru stunnel-4.35/src/prototypes.h stunnel-4.35-xforwarded-for/src/prototypes.h >--- stunnel-4.35/src/prototypes.h 2010-09-14 17:09:50.000000000 +0200 >+++ stunnel-4.35-xforwarded-for/src/prototypes.h 2010-12-06 21:56:08.774829832 +0100 >@@ -171,6 +171,7 @@ > struct { > unsigned int client:1; > unsigned int delayed_lookup:1; >+ unsigned int xforwardedfor:1; > unsigned int accept:1; > unsigned int remote:1; > unsigned int retry:1; /* loop remote+program */ >@@ -346,6 +347,8 @@ > FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */ > int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */ > s_poll_set fds; /* file descriptors */ >+ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ >+ int crlf_seen; /* the number of successive CRLF seen */ > } CLI; > > extern int max_fds, max_clients;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 353955
:
261731
| 261735 |
261737
|
261739
|
261741