From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 22 Nov 2022 18:58:24 -0800
Subject: [PATCH] CVE-2022-37797

    [mod_wstunnel] fix crash with bad hybivers (fixes #3165)

    (thx Michał Dardas)

    x-ref:
      "mod_wstunnel null pointer dereference"
      https://redmine.lighttpd.net/issues/3165

In order to trigger the reproducer on lighttpd 1.4.53, parsing of the
Sec-Websocket-Version needs to be fixed as has been done in later versions.
Due to internal refactoring, the actual NULL pointer dereference has moved
elsewhere, but still crashes. -- Helmut Grohne

The upstream patch is not a git header format which I have created here.
[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch]
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 src/mod_wstunnel.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index ed5174a..99e3739 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) {
 static int wstunnel_check_request(connection *con, handler_ctx *hctx) {
     const buffer * const vers =
       http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
-    const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0;
+    const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0;
     if (hybivers < 0 || hybivers > INT_MAX) {
         DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version");
         con->http_status = 400; /* Bad Request */
@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da
     hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/
     hctx->conf = p->conf; /*(copies struct)*/
     hybivers = wstunnel_check_request(con, hctx);
-    if (hybivers < 0) return HANDLER_FINISHED;
+    if (hybivers < 0) {
+        con->mode = DIRECT;
+        return HANDLER_FINISHED;
+    }
     hctx->hybivers = hybivers;
     if (0 == hybivers) {
         DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00");
-- 
2.34.1