From 1f1375a2a615337d3fd1da2aad7a080243cbdcb7 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 4 Mar 2015 19:18:27 +0000
Subject: [PATCH] Merge r1657261 from trunk:

  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
     mod_lua: A maliciously crafted websockets PING after a script
     calls r:wsupgrade() can cause a child process crash.
     [Edward Lu <Chaosed0 gmail.com>]

Discovered by Guido Vranken <guidovranken gmail.com>

Submitted by: Edward Lu
Committed by: covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                   | 5 +++++
 STATUS                    | 8 --------
 modules/lua/lua_request.c | 6 +++++-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7212e311b90..d51dd939874 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 
 Changes with Apache 2.4.13
 
+  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+     mod_lua: A maliciously crafted websockets PING after a script
+     calls r:wsupgrade() can cause a child process crash. 
+     [Edward Lu <Chaosed0 gmail.com>]
+
   *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
      responding to a websockets PING but instead invoking the specified 
      script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
diff --git a/STATUS b/STATUS
index 0a37515401b..6fce26b4949 100644
--- a/STATUS
+++ b/STATUS
@@ -106,14 +106,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
-     mod_lua: A maliciously crafted websockets PING after a script
-     calls r:wsupgrade() can cause a child process crash.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1657261
-     2.4.x patch: trunk works
-     Note: Technically CTR but it's a CVE.
-     +1: covener, minfrin, ylavic
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 1ee8421e717..4f8d39afd97 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State *L)
 {
     apr_socket_t *sock;
     apr_status_t rv;
+    int do_read = 1;
     int n = 0;
     apr_size_t len = 1;
     apr_size_t plen = 0;
@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State *L)
     mask_bytes = apr_pcalloc(r->pool, 4);
     sock = ap_get_conn_socket(r->connection);
 
+    while (do_read) { 
+    do_read = 0;
     /* Get opcode and FIN bit */
     if (plaintext) {
         rv = apr_socket_recv(sock, &byte, &len);
@@ -2379,10 +2382,11 @@ static int lua_websocket_read(lua_State *L)
                 frame[0] = 0x8A;
                 frame[1] = 0;
                 apr_socket_send(sock, frame, &plen); /* Pong! */
-                lua_websocket_read(L); /* read the next frame instead */
+                do_read = 1;
             }
         }
     }
+    }
     return 0;
 }