From 6f61b215247ed87371c551fc09457bfdb8b72ddc Mon Sep 17 00:00:00 2001 From: Krzysztof Piotr Oledzki Date: Sun, 4 Oct 2009 23:34:15 +0200 Subject: [PATCH] [BUG] Fix NULL pointer dereference in stats_check_uri_auth(), v2 Recent "struct chunk rework" introduced a NULL pointer dereference and now haproxy segfaults if auth is required for stats but not found. The reason is that size_t cannot store negative values, but current code assumes that "len < 0" == uninitialized. This patch fixes it. --- include/proto/buffers.h | 4 ++-- include/types/buffers.h | 2 +- src/proto_http.c | 3 +-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/include/proto/buffers.h b/include/proto/buffers.h index cec7b02fb..e061b2c0b 100644 --- a/include/proto/buffers.h +++ b/include/proto/buffers.h @@ -439,9 +439,9 @@ static inline void chunk_init(struct chunk *chk, char *str, size_t size) { } /* report 0 in case of error, 1 if OK. */ -static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, size_t len) { +static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, int len) { - if (len > size) + if (size && len > size) return 0; chk->str = str; diff --git a/include/types/buffers.h b/include/types/buffers.h index 133285f4c..fc070bda1 100644 --- a/include/types/buffers.h +++ b/include/types/buffers.h @@ -149,7 +149,7 @@ struct chunk { char *str; /* beginning of the string itself. Might not be 0-terminated */ size_t size; /* total size of the buffer, 0 if the *str is read-only */ - size_t len; /* current size of the string from first to last char. <0 = uninit. */ + int len; /* current size of the string from first to last char. <0 = uninit. */ }; /* needed for a declaration below */ diff --git a/src/proto_http.c b/src/proto_http.c index 4638d09c5..869859404 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -4596,8 +4596,7 @@ int stats_check_uri_auth(struct session *t, struct proxy *backend) int len = txn->hdr_idx.v[cur_idx].len; if (len > 14 && !strncasecmp("Authorization:", h, 14)) { - txn->auth_hdr.str = h; - txn->auth_hdr.len = len; + chunk_initlen(&txn->auth_hdr, h, 0, len); break; } h += len + txn->hdr_idx.v[cur_idx].cr + 1;