Fix unresponsive cupsd process caused by a slow client

If client is very slow, it will slow cupsd process for other clients.
The fix is the best effort without turning scheduler cupsd into
multithreaded process which would be too complex and error-prone when
backporting to 2.4.x series.

The fix for unencrypted communication is to follow up on communication
only if there is the whole line on input, and the waiting time is
guarded by timeout.

Encrypted communication now starts after we have the whole client hello
packet, which conflicts with optional upgrade support to HTTPS via
methods other than method OPTIONS, so this optional support defined in
RFC 2817, section 3.1 is removed. Too slow or incomplete requests are
handled by connection timeout.

Fixes CVE-2025-58436

Author: michaelrsweet

cups/http-private.h

@@ -83,6 +83,7 @@ extern "C" {
 // Constants...
 //
 
+#  define _HTTP_MAX_BUFFER	32768	/* Size of read buffer */
 #  define _HTTP_MAX_SBUFFER	65536	/* Size of (de)compression buffer */
 
 #  define _HTTP_TLS_NONE	0	/* No TLS options */
@@ -157,8 +158,8 @@ struct _http_s				// HTTP connection structure
   http_encoding_t	data_encoding;	/* Chunked or not */
   int			_data_remaining;/* Number of bytes left (deprecated) */
   int			used;		/* Number of bytes used in buffer */
-  char			buffer[HTTP_MAX_BUFFER];
-					/* Buffer for incoming data */
+  char			_buffer[HTTP_MAX_BUFFER];
+					/* Old read buffer (deprecated) */
   int			_auth_type;	/* Authentication in use (deprecated) */
   unsigned char		_md5_state[88];	/* MD5 state (deprecated) */
   char			nonce[HTTP_MAX_VALUE];
@@ -231,6 +232,8 @@ struct _http_s				// HTTP connection structure
   			*default_fields[HTTP_FIELD_MAX];
 					/* Default field values, if any */
   /**** New in CUPS 2.5 ****/
+  char			buffer[_HTTP_MAX_BUFFER];
+					/* Read buffer */
   char  		qop[HTTP_MAX_VALUE];
 					/* Quality of Protection (qop) value from WWW-Authenticate */
 };

cups/http.c

@@ -37,7 +37,7 @@ static http_t		*http_create(const char *host, int port, http_addrlist_t *addrlis
 #ifdef DEBUG
 static void		http_debug_hex(const char *prefix, const char *buffer, int bytes);
 #endif // DEBUG
-static ssize_t		http_read(http_t *http, char *buffer, size_t length);
+static ssize_t		http_read(http_t *http, char *buffer, size_t length, int timeout);
 static ssize_t		http_read_buffered(http_t *http, char *buffer, size_t length);
 static ssize_t		http_read_chunk(http_t *http, char *buffer, size_t length);
 static bool		http_send(http_t *http, http_state_t request, const char *uri);
@@ -1435,7 +1435,7 @@ httpGets2(http_t *http,			// I - HTTP connection
         return (NULL);
       }
 
-      bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
+      bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
 
       DEBUG_printf("4httpGets2: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes);
 
@@ -1919,24 +1919,13 @@ httpPeek(http_t *http,			// I - HTTP connection
     // Buffer small reads for better performance...
     ssize_t	buflen;			// Length of read for buffer
 
-    if (!http->blocking)
-    {
-      while (!httpWait(http, http->wait_value))
-      {
-	if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
-	  continue;
-
-	return (0);
-      }
-    }
-
     if ((size_t)http->data_remaining > sizeof(http->buffer))
       buflen = sizeof(http->buffer);
     else
       buflen = (ssize_t)http->data_remaining;
 
     DEBUG_printf("2httpPeek: Reading %d bytes into buffer.", (int)buflen);
-    bytes = http_read(http, http->buffer, (size_t)buflen);
+    bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
 
     DEBUG_printf("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.", CUPS_LLCAST bytes);
     if (bytes > 0)
@@ -1954,9 +1943,9 @@ httpPeek(http_t *http,			// I - HTTP connection
     int		zerr;			// Decompressor error
     z_stream	stream;			// Copy of decompressor stream
 
-    if (http->used > 0 && ((z_stream *)http->stream)->avail_in < HTTP_MAX_BUFFER)
+    if (http->used > 0 && ((z_stream *)http->stream)->avail_in < _HTTP_MAX_BUFFER)
     {
-      size_t buflen = HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
+      size_t buflen = _HTTP_MAX_BUFFER - ((z_stream *)http->stream)->avail_in;
 					// Number of bytes to copy
 
       if (((z_stream *)http->stream)->avail_in > 0 && ((z_stream *)http->stream)->next_in > http->sbuffer)
@@ -2205,7 +2194,7 @@ httpRead2(http_t *http,			// I - HTTP connection
 
       if (bytes == 0)
       {
-        ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
+        ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)((z_stream *)http->stream)->avail_in;
 					// Additional bytes for buffer
 
         if (buflen > 0)
@@ -2904,17 +2893,51 @@ int					// O - 1 to continue, 0 to stop
 _httpUpdate(http_t        *http,	// I - HTTP connection
             http_status_t *status)	// O - Current HTTP status
 {
-  char		line[32768],		// Line from connection...
+  char		line[_HTTP_MAX_BUFFER],	// Line from connection...
 		*value;			// Pointer to value on line
   http_field_t	field;			// Field index
   int		major, minor;		// HTTP version numbers
 
 
   DEBUG_printf("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state));
 
+  // When doing non-blocking I/O, make sure we have a whole line...
+  if (!http->blocking)
+  {
+    ssize_t	bytes;			// Bytes "peeked" from connection
+
+    // See whether our read buffer is full...
+    DEBUG_printf("2_httpUpdate: used=%d", http->used);
+
+    if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
+    {
+      // No, try filling in more data...
+      if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
+      {
+	DEBUG_printf("2_httpUpdate: Read %d bytes.", (int)bytes);
+	http->used += (int)bytes;
+      }
+    }
+
+    // Peek at the incoming data...
+    if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
+    {
+      // Don't have a full line, tell the reader to try again when there is more data...
+      DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
+      if ((size_t)http->used == sizeof(http->buffer))
+	*status = HTTP_STATUS_ERROR;
+      else
+	*status = HTTP_STATUS_CONTINUE;
+      return (0);
+    }
+
+    DEBUG_puts("2_httpUpdate: Found newline in buffer.");
+  }
+
   // Grab a single line from the connection...
   if (!httpGets2(http, line, sizeof(line)))
   {
+    DEBUG_puts("1_httpUpdate: Error reading request line.");
     *status = HTTP_STATUS_ERROR;
     return (0);
   }
@@ -4100,7 +4123,8 @@ http_debug_hex(const char *prefix,	// I - Prefix for line
 static ssize_t				// O - Number of bytes read or -1 on error
 http_read(http_t *http,			// I - HTTP connection
           char   *buffer,		// I - Buffer
-          size_t length)		// I - Maximum bytes to read
+          size_t length,		// I - Maximum bytes to read
+          int    timeout)		// I - Wait timeout
 {
   ssize_t	bytes;			// Bytes read
 
@@ -4109,7 +4133,7 @@ http_read(http_t *http,			// I - HTTP connection
 
   if (!http->blocking || http->timeout_value > 0.0)
   {
-    while (!httpWait(http, http->wait_value))
+    while (!_httpWait(http, timeout, 1))
     {
       if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
 	continue;
@@ -4212,7 +4236,7 @@ http_read_buffered(http_t *http,	// I - HTTP connection
     else
       bytes = (ssize_t)length;
 
-    DEBUG_printf("8http_read: Grabbing %d bytes from input buffer.", (int)bytes);
+    DEBUG_printf("8http_read_buffered: Grabbing %d bytes from input buffer.", (int)bytes);
 
     memcpy(buffer, http->buffer, (size_t)bytes);
     http->used -= (int)bytes;
@@ -4222,7 +4246,7 @@ http_read_buffered(http_t *http,	// I - HTTP connection
   }
   else
   {
-    bytes = http_read(http, buffer, length);
+    bytes = http_read(http, buffer, length, http->wait_value);
   }
 
   return (bytes);
@@ -4535,16 +4559,14 @@ http_set_timeout(int    fd,		// I - File descriptor
 static void
 http_set_wait(http_t *http)		// I - HTTP connection
 {
-  if (http->blocking)
-  {
-    http->wait_value = (int)(http->timeout_value * 1000);
+  http->wait_value = (int)(http->timeout_value * 1000);
 
-    if (http->wait_value <= 0)
-      http->wait_value = 60000;
-  }
-  else
+  if (http->wait_value <= 0)
   {
-    http->wait_value = 10000;
+    if (http->blocking)
+      http->wait_value = 60000;
+    else
+      http->wait_value = 1000;
   }
 }
 

cups/tls-gnutls.c

@@ -1832,7 +1832,7 @@ _httpTLSStart(http_t *http)		// I - Connection to server
 
       if (!cupsCreateCredentials(tls_keypath, false, CUPS_CREDPURPOSE_SERVER_AUTH, CUPS_CREDTYPE_DEFAULT, CUPS_CREDUSAGE_DEFAULT_TLS, NULL, NULL, NULL, NULL, NULL, cn, /*email*/NULL, 0, NULL, NULL, time(NULL) + 3650 * 86400))
       {
-	DEBUG_puts("4_httpTLSStart: cupsCreateCredentials failed.");
+	DEBUG_printf("4_httpTLSStart: cupsCreateCredentials failed: %s", cupsGetErrorString());
 	http->error  = errno = EINVAL;
 	http->status = HTTP_STATUS_ERROR;
 	cupsMutexUnlock(&tls_mutex);

cups/tls-openssl.c

@@ -1900,7 +1900,7 @@ _httpTLSStart(http_t *http)		// I - Connection to server
 
       if (!cupsCreateCredentials(tls_keypath, false, CUPS_CREDPURPOSE_SERVER_AUTH, CUPS_CREDTYPE_DEFAULT, CUPS_CREDUSAGE_DEFAULT_TLS, NULL, NULL, NULL, NULL, NULL, cn, NULL, 0, NULL, NULL, time(NULL) + 3650 * 86400))
       {
-	DEBUG_puts("4_httpTLSStart: cupsCreateCredentials failed.");
+	DEBUG_printf("4_httpTLSStart: cupsCreateCredentials failed: %s", cupsGetErrorString());
 	http->error  = errno = EINVAL;
 	http->status = HTTP_STATUS_ERROR;
 	SSL_CTX_free(context);
@@ -2190,11 +2190,14 @@ http_bio_read(BIO  *h,			// I - BIO data
   http = (http_t *)BIO_get_data(h);
   DEBUG_printf("9http_bio_read: http=%p", (void *)http);
 
-  if (!http->blocking)
+  if (!http->blocking || http->timeout_value > 0.0)
   {
     // Make sure we have data before we read...
-    if (!_httpWait(http, 10000, 0))
+    while (!_httpWait(http, http->wait_value, 0))
     {
+      if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+	continue;
+
 #ifdef WIN32
       http->error = WSAETIMEDOUT;
 #else