RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-13 23:14:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

[CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process

Browse Source 
Cookies in indirect mode are removed from the cookie header. Three pointers
ought to be updated when appsession cookies are processed next, but were not.
The result is that a memcpy() can be called with a negative value causing the
process to crash. It is not sure whether this can be remotely exploited or not.
(cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213)
This commit is contained in:
Willy Tarreau 2010-11-24 18:31:28 +01:00
parent 77eb9b8a2d
commit b810554f8f
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/proto_http.c
View File

@ -6263,6 +6263,11 @@ void manage_client_side_cookies(struct session *t, struct buffer *req)
if (del_from != NULL) {
int delta = del_hdr_value(req, &del_from, prev);
if (att_beg >= del_from)
att_beg += delta;
if (att_end >= del_from)
att_end += delta;
val_beg += delta;
val_end += delta;
next += delta;
hdr_end += delta;