blob: 69e6d5a0dbf51d94fb0d8001f3f6690ba42998a8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From a48aea18b6c7ee534cd21f7febfe253e31b33eda Mon Sep 17 00:00:00 2001
From: Davide Beatrici <git@davidebeatrici.dev>
Date: Sat, 4 Apr 2020 07:48:46 +0200
Subject: [PATCH] src/murmur/Server.cpp: implement workaround for critical
QSslSocket issue
A severe bug was introduced in qt/qtbase@93a803a6de27d9eb57931c431b5f3d074914f693: q_SSL_shutdown() causes Qt to emit "error()" from unrelated QSslSocket(s), in addition to the correct one.
The issue causes Server::connectionClosed() to disconnect random authenticated clients.
The workaround consists in ignoring a specific OpenSSL error:
"Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]"
Definitely not ideal, but it fixes a critical vulnerability. Details on how to trigger it are deliberately omitted.
---
src/murmur/Server.cpp | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp
index cac75e4fea..055ad96d95 100644
--- a/src/murmur/Server.cpp
+++ b/src/murmur/Server.cpp
@@ -1422,6 +1422,19 @@ void Server::sslError(const QList<QSslError> &errors) {
}
void Server::connectionClosed(QAbstractSocket::SocketError err, const QString &reason) {
+ if (reason.contains(QLatin1String("140E0197"))) {
+ // A severe bug was introduced in qt/qtbase@93a803a6de27d9eb57931c431b5f3d074914f693.
+ // q_SSL_shutdown() causes Qt to emit "error()" from unrelated QSslSocket(s), in addition to the correct one.
+ // The issue causes this function to disconnect random authenticated clients.
+ //
+ // The workaround consists in ignoring a specific OpenSSL error:
+ // "Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]"
+ //
+ // Definitely not ideal, but it fixes a critical vulnerability.
+ qWarning("Ignored OpenSSL error 140E0197 for %p", sender());
+ return;
+ }
+
Connection *c = qobject_cast<Connection *>(sender());
if (! c)
return;
|