RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-17 19:16:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records

Browse Source 
trahs chunks are buffers but not allocated from the buffers pool. And the
"trash" chunk is static and thread-local. It is two reason to not swap it
with a regular buffer allocated from the buffers pool.

Unfortunatly, it is exactly what is performed in the FCGI mux when a STDERR
record is handled. b_xfer() is used to copy data from the demux buffer to
the trash to format the error message. A zeor-copy via a swap may be
performed. In this case, this leads to a memory corruption and a crash
because, some time later, the demux buffer is released because it is
empty. And it is in fact the trash chunk.

b_force_xfer() must be used instead. This function forces the copy.

This patch must be backported as far as 2.2. For 2.4 and 2.2, b_force_xfer()
does not exist. For these versions, the following commit must be backported
too:

  * c7860007cc ("MINOR: buf: Add b_force_xfer() function")
This commit is contained in:
Christopher Faulet 2023-09-11 18:57:39 +02:00
parent 1115fc348e
commit 665703d456
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mux_fcgi.c
View File

@ -2363,7 +2363,7 @@ static int fcgi_strm_handle_stderr(struct fcgi_conn *fconn, struct fcgi_strm *fs
goto fail; // incomplete record
chunk_reset(&trash);
ret = b_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
ret = b_force_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
if (!ret)
goto fail;
fconn->drl -= ret;