diff options
| author |   Frank de Brabander <debrabander@gmail.com> | 2022-10-18 18:37:51 +0200 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2022-11-04 07:52:01 -1000 |
| commit | f51a6742bcae3a151a326d17cd44935815eb78c7 (patch) | |
| tree | ba975e355efe5b2ff6e65c8bfe3cd8c3564c137e | |
| parent | ac4476e6594417b14bfb05a110009ef245f419b0 (diff) | |
| download | openembedded-core-contrib-f51a6742bcae3a151a326d17cd44935815eb78c7.tar.gz | |
cve-update-db-native: add timeout to urlopen() calls
The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.
This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5f6652854f544106b40d860de2946954de642f3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 85874ead01..59e7d7dc2c 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -17,6 +17,9 @@ deltask do_populate_sysroot # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" +# Timeout for blocking socket operations, such as the connection attempt. +CVE_SOCKET_TIMEOUT ?= "60" + python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") @@ -39,6 +42,8 @@ python do_fetch() { db_file = d.getVar("CVE_CHECK_DB_FILE") db_dir = os.path.dirname(db_file) + cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) + if os.path.exists("{0}-journal".format(db_file)): # If a journal is present the last update might have been interrupted. In that case, # just wipe any leftovers and force the DB to be recreated. @@ -77,7 +82,7 @@ python do_fetch() { # Retrieve meta last modified date try: - response = urllib.request.urlopen(meta_url) + response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') bb.warn("Failed to fetch CVE data (%s)" % e.reason) @@ -104,7 +109,7 @@ python do_fetch() { # Update db with current year json file try: - response = urllib.request.urlopen(json_url) + response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) if response: update_db(conn, gzip.decompress(response.read()).decode('utf-8')) conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() |