From 1fc1f45618d6fe8d1fe2a2207c1ba1fae12d206c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 7 Apr 2011 22:35:37 +0200 Subject: [PATCH] [CRITICAL] fix risk of crash when dealing with space in response cookies When doing fix 24581bae022bcf97ea7818e49ef27d21c92d6aa3 to correctly handle response cookies, an unfortunate typo was inserted in the less likely code path, resulting in a risk of crash when cookie-based persistence is enabled and the server emits a cookie with several spaces around the equal sign. This bug was noticed during a code backport. Its effects were never reported because this situation is very unlikely to appear, but it can be provoked on purpose by the server. This patch must be backported to 1.4 versions which contain the fix above (anything > 1.4.8), and to similar 1.3 versions > 1.3.25. 1.5-dev versions after 1.5-dev2 are affected too. --- src/proto_http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/proto_http.c b/src/proto_http.c index 5e3975e2fa..379471efa8 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -6969,7 +6969,7 @@ void manage_server_side_cookies(struct session *t, struct buffer *res) hdr_end += stripped_before; hdr_next += stripped_before; cur_hdr->len += stripped_before; - http_msg_move_end(&txn->req, stripped_before); + http_msg_move_end(&txn->rsp, stripped_before); } /* First, let's see if we want to capture this cookie. We check