CVE-2022-30556 HTTP/2 may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

CVE-2022-30556 HTTP/2 may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

This may result in an unsuccessful request or cause an error to be returned to an application.

Apache HTTP Server does not allocate storage for the length parameter. Therefore, it is up to the application calling r:wsread() to ensure that the length of the data it writes is never larger than the size of the buffer.

Versions of Apache HTTP Server prior to 2.4.53 may return output from r:wsread() that points beyond the end of the allocated storage. This may cause an error to be returned to an application.

Apache HTTP Server 2.4.53 and later no longer return incorrect lengths when r:wsread() is used with input that exceeds the size of the buffer.

There may be cases where r:wsread() will fail and return an HTTP error code when the length of the data exceeds the size of the buffer.
Affected applications should upgrade to a version of Apache HTTP Server that is prior to 2.4.53.

Vendor Information

The Apache Software Foundation provides updates to the Apache HTTP Server software.
Versions of Apache HTTP Server prior to 2.4.51 incorrectly return a length parameter of 0 when r:wsread() is used with input that exceeds the size of the buffer.

What to do if you are using Apache HTTP Server  2.4.53 or later

If you are using Apache HTTP Server 2.4.53 or later, and you are experiencing an error in r:wsread() with a length parameter greater than the size of the buffer, it is likely because the application passed in data that was too large to be stored in the buffer. In this case, the application should use an alternative method, such as f:write(), to write its data to the socket.

Mitigation

This issue has been addressed in the Apache HTTP Server 2.4.53 and later by fixing a bug where r:wsread() failed to return an error when the length of the data exceeded the size of the buffer

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe