Security fix for CVE-2012-3505, tinyproxy: multiple headers hashmap DoS

www/tinyproxy/Makefile

@@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.22 2012/06/22 13:26:59 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.23 2012/08/20 09:51:20 jasper Exp $
 
 COMMENT =		lightweight HTTP/SSL proxy
 
 V =			1.8.3
 DISTNAME =		tinyproxy-${V}
+REVISION =		0
 CATEGORIES =		www net
 
 HOMEPAGE =		https://www.banu.com/tinyproxy/

www/tinyproxy/distinfo

@@ -1,5 +1,2 @@
-MD5 (tinyproxy-1.8.3.tar.gz) = 7Kkn9/apzoOUsrJWNhl4pw==
-RMD160 (tinyproxy-1.8.3.tar.gz) = QcrkyPzJllCnbXvtUqN5qd0PrvA=
-SHA1 (tinyproxy-1.8.3.tar.gz) = 6/S9pg/y0P3xhGRn8Hs7vZ75D68=
 SHA256 (tinyproxy-1.8.3.tar.gz) = aCQWyPD3M6gQbIe7OVxjEiJWl1H+Rhe8OB0EmbDwwBc=
 SIZE (tinyproxy-1.8.3.tar.gz) = 266744

www/tinyproxy/patches/patch-src_child_c

@@ -0,0 +1,26 @@
+$OpenBSD: patch-src_child_c,v 1.1 2012/08/20 09:51:20 jasper Exp $
+
+Security fix for CVE-2012-3505, tinyproxy: multiple headers hashmap DoS
+Patch from https://bugzilla.redhat.com/show_bug.cgi?id=849368
+CVE-2012-3505-tinyproxy-randomized-hashmaps.patch
+
+--- src/child.c.orig	Sun Jan 10 23:52:04 2010
++++ src/child.c	Mon Aug 20 11:47:33 2012
+@@ -20,6 +20,9 @@
+  * processing incoming connections.
+  */
+ 
++#include <stdlib.h>
++#include <time.h>
++
+ #include "main.h"
+ 
+ #include "child.h"
+@@ -196,6 +199,7 @@ static void child_main (struct child_s *ptr)
+         }
+ 
+         ptr->connects = 0;
++	srand(time(NULL));
+ 
+         while (!config.quit) {
+                 ptr->status = T_WAITING;

www/tinyproxy/patches/patch-src_hashmap_c

@@ -0,0 +1,87 @@
+$OpenBSD: patch-src_hashmap_c,v 1.1 2012/08/20 09:51:20 jasper Exp $
+
+Security fix for CVE-2012-3505, tinyproxy: multiple headers hashmap DoS
+Patch from https://bugzilla.redhat.com/show_bug.cgi?id=849368
+CVE-2012-3505-tinyproxy-randomized-hashmaps.patch
+
+--- src/hashmap.c.orig	Mon Jan 25 19:24:01 2010
++++ src/hashmap.c	Mon Aug 20 11:47:33 2012
+@@ -25,6 +25,8 @@
+  * don't try to free the data, or realloc the memory. :)
+  */
+ 
++#include <stdlib.h>
++
+ #include "main.h"
+ 
+ #include "hashmap.h"
+@@ -50,6 +52,7 @@ struct hashbucket_s {
+ };
+ 
+ struct hashmap_s {
++        uint32_t seed;
+         unsigned int size;
+         hashmap_iter end_iterator;
+ 
+@@ -65,7 +68,7 @@ struct hashmap_s {
+  *
+  * If any of the arguments are invalid a negative number is returned.
+  */
+-static int hashfunc (const char *key, unsigned int size)
++static int hashfunc (const char *key, unsigned int size, uint32_t seed)
+ {
+         uint32_t hash;
+ 
+@@ -74,7 +77,7 @@ static int hashfunc (const char *key, unsigned int siz
+         if (size == 0)
+                 return -ERANGE;
+ 
+-        for (hash = tolower (*key++); *key != '\0'; key++) {
++        for (hash = seed; *key != '\0'; key++) {
+                 uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
+ 
+                 hash >>= 1;
+@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int nbuckets)
+         if (!ptr)
+                 return NULL;
+ 
++	ptr->seed = (uint32_t)rand();
+         ptr->size = nbuckets;
+         ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
+                                                            sizeof (struct
+@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const char *key, const 
+         if (!data || len < 1)
+                 return -ERANGE;
+ 
+-        hash = hashfunc (key, map->size);
++        hash = hashfunc (key, map->size, map->seed);
+         if (hash < 0)
+                 return hash;
+ 
+@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key
+         if (map == NULL || key == NULL)
+                 return -EINVAL;
+ 
+-        hash = hashfunc (key, map->size);
++        hash = hashfunc (key, map->size, map->seed);
+         if (hash < 0)
+                 return hash;
+ 
+@@ -416,7 +420,7 @@ ssize_t hashmap_entry_by_key (hashmap_t map, const cha
+         if (!map || !key || !data)
+                 return -EINVAL;
+ 
+-        hash = hashfunc (key, map->size);
++        hash = hashfunc (key, map->size, map->seed);
+         if (hash < 0)
+                 return hash;
+ 
+@@ -451,7 +455,7 @@ ssize_t hashmap_remove (hashmap_t map, const char *key
+         if (map == NULL || key == NULL)
+                 return -EINVAL;
+ 
+-        hash = hashfunc (key, map->size);
++        hash = hashfunc (key, map->size, map->seed);
+         if (hash < 0)
+                 return hash;
+ 

www/tinyproxy/patches/patch-src_reqs_c

@@ -0,0 +1,50 @@
+$OpenBSD: patch-src_reqs_c,v 1.1 2012/08/20 09:51:20 jasper Exp $
+
+Security fix for CVE-2012-3505, tinyproxy: multiple headers hashmap DoS
+Patch from https://bugzilla.redhat.com/show_bug.cgi?id=849368
+CVE-2012-3505-tinyproxy-limit-headers.patch
+
+--- src/reqs.c.orig	Mon Feb  7 13:31:03 2011
++++ src/reqs.c	Mon Aug 20 11:46:43 2012
+@@ -610,6 +610,11 @@ add_header_to_connection (hashmap_t hashofheaders, cha
+         return hashmap_insert (hashofheaders, header, sep, len);
+ }
+ 
++/* define max number of headers. big enough to handle legitimate cases,
++ * but limited to avoid DoS 
++ */
++#define MAX_HEADERS 10000
++
+ /*
+  * Read all the headers from the stream
+  */
+@@ -617,6 +622,7 @@ static int get_all_headers (int fd, hashmap_t hashofhe
+ {
+         char *line = NULL;
+         char *header = NULL;
++	int count;
+         char *tmp;
+         ssize_t linelen;
+         ssize_t len = 0;
+@@ -625,7 +631,7 @@ static int get_all_headers (int fd, hashmap_t hashofhe
+         assert (fd >= 0);
+         assert (hashofheaders != NULL);
+ 
+-        for (;;) {
++        for (count = 0; count < MAX_HEADERS; count++) {
+                 if ((linelen = readline (fd, &line)) <= 0) {
+                         safefree (header);
+                         safefree (line);
+@@ -691,6 +697,12 @@ static int get_all_headers (int fd, hashmap_t hashofhe
+ 
+                 safefree (line);
+         }
++
++	/* if we get there, this is we reached MAX_HEADERS count.
++	   bail out with error */
++	safefree (header);
++	safefree (line);
++	return -1;
+ }
+ 
+ /*