RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MAJOR: http: prevent risk of reading past end with balance url_param 

The get_server_ph_post() function assumes that the buffer is contiguous.
While this is true for all the header part, it is not necessarily true
for the end of data the fit in the reserve. In this case there's a risk
to read past the end of the buffer for a few hundred bytes, and possibly
to crash the process if what follows is not mapped.

The fix consists in truncating the analyzed length to the length of the
contiguous block that follows the headers.

A config workaround for this bug would be to disable balance url_param.

This fix must be backported to 1.5. It seems 1.4 did have the check.
This commit is contained in:
Willy Tarreau 2015-05-02 00:05:47 +02:00
parent e115b49c39
commit f69d4ff006
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/backend.c
View File

@ -313,6 +313,9 @@ struct server *get_server_ph_post(struct stream *s)
if (len == 0)
return NULL;
if (len > req->buf->data + req->buf->size - p)
len = req->buf->data + req->buf->size - p;
if (px->lbprm.tot_weight == 0)
return NULL;