LWS git

{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1760994370, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"c6979373b6985661a495e8b43c1038f0", "commit": {"type":"commit", "time": 1759939397, "time_ofs": 60, "oid_tree": { "oid": "a1b2b28c69708ab4e347a5667c5bd8cdb0349f31", "alias": []}, "oid":{ "oid": "2f082ec31261f556969160143ba94875d783971a", "alias": []}, "msg": "NN-2025-0102: UAF depending on upgrade allowed", "sig_commit": { "git_time": { "time": 1759939397, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1758714384, "offset": 60 }, "name": "Nozomi Network Labs", "email": "labs-advisory@nozominetworks.com", "md5": "e570194d13a3ff6c89099f07c6cf4a59" }}, "body": "NN-2025-0102: UAF depending on upgrade allowed\n\nThis document contains sensitive information collected during our\nsecurity research activities related with the Libwebsockets library\nmaintained by Andy Green (warmcat).\n\n+-------------------------------------------------------------------------------------------------------+\n| Report information |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Vendor | warmcat |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vendor URL | https://libwebsockets.org/git/libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected component | libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected version | 4.4 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vulnerability | CWE-416: Use After Free |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Base Score | 6.0 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |\n+-------------------------------------+-----------------------------------------------------------------+\n\n+-----------------------------------------------------------------------------+\n| Security Researcher(s) |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Name | **Email address** |\n+-------------------------------------+---------------------------------------+\n| Raffaele Bova | labs-advisory@nozominetworks.com |\n+-------------------------------------+---------------------------------------+\n\nLibwebsockes is a C library that provides client and server\nimplementation for various protocols (e.g., HTTP, websockets, MQTT) and\nmore.\n\nNozomi Networks Lab discovered a \u0022CWE-416: Use After Free\u0022 in the latest\nsoftware version of libwebsockets, specifically in the WebSocket server\nimplementation.\n\nDepending on the use of the API, the vulnerability may allow an attacker\nto read or write data, that could cause a loss of integrity or\navailability.\n\nThe issue is caused by the `lws_handshake_protocol` function, specifically\nwhen the upgrade header is not valid, the function calls\n`lws_http_transaction_completed`, which frees some of the data in the wsi\nstructure, then it calls `user_callback_handle_rxflow` passing the up\npointer and uses it on following strcasecmp calls.\n\nFrom our understanding, for this vulnerability to have a meaningful\nimpact, a user that implements the Websocket server, must provide a user\ncallback function which is going to handle\n`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing\noperations on the up pointer.\n\nIt is possible to compile the minimal websocket server using address\nsanitizer, to quickly verify the use after free.\n\nFrom our understanding of the code, if the upgrade header does not match\nthe intended contents, then the code after the if statement when\n`lws_http_transaction_completed` is called, should not be executed, thus\nsimply enclosing all that code in the else branch solves the issue.\n" , "diff": "diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c\nindex 6cd89b3..69e13f0 100644\n--- a/lib/roles/http/server/server.c\n+++ b/lib/roles/http/server/server.c\n@@ -2466,49 +2466,49 @@ raw_transition:\n \t\t\t\t\t\tHTTP_STATUS_FORBIDDEN, NULL) ||\n \t\t\t\t lws_http_transaction_completed(wsi))\n \t\t\t\t\tgoto bail_nuke_ah;\n-\t\t\t}\n-\n-\t\t\tn \u003d user_callback_handle_rxflow(wsi-\u003ea.protocol-\u003ecallback,\n-\t\t\t\t\twsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,\n-\t\t\t\t\twsi-\u003euser_space, (char *)up, 0);\n+\t\t\t} else {\n+\t\t\t\tn \u003d user_callback_handle_rxflow(wsi-\u003ea.protocol-\u003ecallback,\n+\t\t\t\t\t\twsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,\n+\t\t\t\t\t\twsi-\u003euser_space, (char *)up, 0);\n \n-\t\t\t/* just hang up? */\n+\t\t\t\t/* just hang up? */\n \n-\t\t\tif (n \u003c 0)\n-\t\t\t\tgoto bail_nuke_ah;\n+\t\t\t\tif (n \u003c 0)\n+\t\t\t\t\tgoto bail_nuke_ah;\n \n-\t\t\t/* callback returned headers already, do t_c? */\n+\t\t\t\t/* callback returned headers already, do t_c? */\n \n-\t\t\tif (n \u003e 0) {\n-\t\t\t\tif (lws_http_transaction_completed(wsi))\n+\t\t\t\tif (n \u003e 0) {\n+\t\t\t\t if (lws_http_transaction_completed(wsi))\n \t\t\t\t\tgoto bail_nuke_ah;\n \n-\t\t\t\t/* continue on */\n+\t\t\t\t /* continue on */\n \n-\t\t\t\treturn 0;\n-\t\t\t}\n+\t\t\t\t return 0;\n+\t\t\t\t}\n \n-\t\t\t/* callback said 0, it was allowed */\n+\t\t\t\t/* callback said 0, it was allowed */\n \n-\t\t\tif (wsi-\u003ea.vhost-\u003eoptions \u0026\n-\t\t\t LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK \u0026\u0026\n-\t\t\t lws_confirm_host_header(wsi))\n-\t\t\t\tgoto bail_nuke_ah;\n+\t\t\t\tif (wsi-\u003ea.vhost-\u003eoptions \u0026\n+\t\t\t\t\tLWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK \u0026\u0026\n+\t\t\t\t\tlws_confirm_host_header(wsi))\n+\t\t\t\t goto bail_nuke_ah;\n \n-\t\t\tif (!strcasecmp(up, \u0022websocket\u0022)) {\n+\t\t\t\tif (!strcasecmp(up, \u0022websocket\u0022)) {\n #if defined(LWS_ROLE_WS)\n-\t\t\t\tlws_metrics_tag_wsi_add(wsi, \u0022upg\u0022, \u0022ws\u0022);\n-\t\t\t\tlwsl_info(\u0022Upgrade to ws\u005cn\u0022);\n-\t\t\t\tgoto upgrade_ws;\n+\t\t\t\t\tlws_metrics_tag_wsi_add(wsi, \u0022upg\u0022, \u0022ws\u0022);\n+\t\t\t\t\tlwsl_info(\u0022Upgrade to ws\u005cn\u0022);\n+\t\t\t\t\tgoto upgrade_ws;\n #endif\n-\t\t\t}\n+\t\t\t\t}\n #if defined(LWS_WITH_HTTP2)\n-\t\t\tif (!strcasecmp(up, \u0022h2c\u0022)) {\n-\t\t\t\tlws_metrics_tag_wsi_add(wsi, \u0022upg\u0022, \u0022h2c\u0022);\n-\t\t\t\tlwsl_info(\u0022Upgrade to h2c\u005cn\u0022);\n-\t\t\t\tgoto upgrade_h2c;\n-\t\t\t}\n+\t\t\t\tif (!strcasecmp(up, \u0022h2c\u0022)) {\n+\t\t\t\t lws_metrics_tag_wsi_add(wsi, \u0022upg\u0022, \u0022h2c\u0022);\n+\t\t\t\t lwsl_info(\u0022Upgrade to h2c\u005cn\u0022);\n+\t\t\t\t goto upgrade_h2c;\n+\t\t\t\t}\n #endif\n+\t\t\t}\n \t\t}\n \n \t\t/* no upgrade ack... he remained as HTTP */\n","s":{"c":1760971178,"u": 4364}} ],"g": 939,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}