Christopher Faulet 1cf414b522 BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded ... When an HTX block is expanded, a defragmentation may be performed first to have enough space to copy the new data. When it happens, the meta data of the HTX message must take account of the new data length but copied data are still unchanged at this stage (because we need more space to update the message content). And here there is a bug because the meta data are updated by the caller. It means that when the blocks content is copied, the new length is already set. Thus a block larger than the reality is copied and data outside the buffer may be accessed, leading to a crash. To fix this bug, htx_defrag() is updated to use an extra argument with the new meta data to use for the referenced block. Thus the caller does not need to update the HTX message by itself. However, it still have to update the data. Most of time, the bug will be encountered in the HTTP compression filter. But, even if it is highly unlikely, in theory it is also possible to hit it when a HTTP header (or only its value) is replaced or when the start-line is changed. This patch must be backported as far as 2.0.		2021-06-11 14:05:34 +02:00
..
haproxy	BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded	2021-06-11 14:05:34 +02:00
import	BUG/MEDIUM: ebtree: Invalid read when looking for dup entry	2021-05-18 19:26:21 +02:00