From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 16 Aug 2022 16:26:02 -0700
Subject: [PATCH 1/2] compression buffer was not reused correctly

when the compression buffer was reused for multiple statistics
requests, responses could grow beyond the correct size. this was
because the buffer was not cleared before reuse; compressed data
was still written to the beginning of the buffer, but then the size
of used region was increased by the amount written, rather than set
to the amount written. this caused responses to grow larger and
larger, potentially reading past the end of the allocated buffer.

(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)
---
 lib/isc/httpd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index a701fb2a84..14c9fbfe81 100644
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
 	if (r.base != NULL) {
 		isc_mem_put(mctx, r.base, r.length);
 	}
+
+	isc_buffer_initnull(buffer);
 }
 
 isc_result_t
@@ -861,6 +863,7 @@ httpd_compress(isc_httpd_t *httpd) {
 
 	inputlen = isc_buffer_usedlength(&httpd->bodybuffer);
 	alloc_compspace(httpd, inputlen);
+	isc_buffer_clear(&httpd->compbuffer);
 	isc_buffer_region(&httpd->compbuffer, &r);
 
 	/*

From 2312c45ff2c0ff28e9bc008417d4eb2ba62d34c9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 16 Aug 2022 16:26:02 -0700
Subject: [PATCH 2/2] CHANGES and release notes for CVE-2022-2881 [GL #3493]

(cherry picked from commit 430ee6c4271e68a2bbb8163ed0e1d2e37fbe3d5d)
---
 CHANGES                     | 7 +++++++
 doc/notes/notes-current.rst | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGES b/CHANGES
index 059cc4a1b6..a8cf9b21e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5958.	[security]	When an HTTP connection was reused to get
+			statistics from the stats channel, and zlib
+			compression was in use, each successive
+			response sent larger and larger blocks of memory,
+			potentially reading past the end of the allocated
+			buffer. (CVE-2022-2881) [GL #3493]
+
 5957.	[security]	Prevent excessive resource use while processing large
 			delegations. (CVE-2022-2795) [GL #3394]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 020cfd08ba..f0bd64c74c 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -24,6 +24,11 @@ Security Fixes
   Bremler-Barr & Shani Stajnrod from Reichman University for bringing
   this vulnerability to our attention. :gl:`#3394`
 
+- When an HTTP connection was reused to request statistics from the
+  stats channel, the content length of successive responses could grow
+  in size past the end of the allocated buffer. This has been fixed.
+  (CVE-2022-2881) :gl:`#3493`
+
 Known Issues
 ~~~~~~~~~~~~