RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-18 19:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
2e85840266
haproxy/include/common/regex.h
Sasha Pachev c600204ddf BUG/MEDIUM: regex: fix risk of buffer overrun in exp_replace() 
Currently exp_replace() (which is used in reqrep/reqirep) is
vulnerable to a buffer overrun. I have been able to reproduce it using
the attached configuration file and issuing the following command:

  wget -O - -S -q http://localhost:8000/`perl -e 'print "a"x4000'`/cookie.php

Str was being checked only in in while (str) and it was possible to
read past that when more than one character was being accessed in the
loop.

WT:
   Note that this bug is only marked MEDIUM because configurations
   capable of triggering this bug are very unlikely to exist at all due
   to the fact that most rewrites consist in static string additions
   that largely fit into the reserved area (8kB by default).

   This fix should also be backported to 1.4 and possibly even 1.3 since
   it seems to have been present since 1.1 or so.

Config:
-------

  global
        maxconn         500
        stats socket /tmp/haproxy.sock mode 600

  defaults
        timeout client      1000
        timeout connect      5000
        timeout server      5000
        retries         1
        option redispatch

  listen stats
        bind :8080
        mode http
        stats enable
        stats uri /stats
        stats show-legends

  listen  tcp_1
        bind :8000
        mode            http
        maxconn 400
        balance roundrobin
        reqrep ^([^\ :]*)\ /(.*)/(.*)\.php(.*) \1\ /\3.php?arg=\2\2\2\2\2\2\2\2\2\2\2\2\2\4
        server  srv1 127.0.0.1:9000 check port 9000 inter 1000 fall 1
        server  srv2 127.0.0.1:9001 check port 9001 inter 1000 fall 1
2014-05-27 14:36:06 +02:00

121 lines
3.7 KiB
C
Raw Blame History

/*
* include/common/regex.h
* This file defines everything related to regular expressions.
*
* Copyright (C) 2000-2010 Willy Tarreau - w@1wt.eu
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef _COMMON_REGEX_H
#define _COMMON_REGEX_H
#include <stdlib.h>
#include <common/config.h>
#ifdef USE_PCRE
#include <pcre.h>
#include <pcreposix.h>
#else /* no PCRE */
#include <regex.h>
#endif
struct my_regex {
#ifdef USE_PCRE
#ifdef USE_PCRE_JIT
#ifndef PCRE_CONFIG_JIT
#error "The PCRE lib doesn't support JIT. Change your lib, or remove the option USE_PCRE_JIT."
#endif
pcre *reg;
pcre_extra *extra;
#else /* no PCRE_JIT */
regex_t regex;
#endif
#else /* no PCRE */
regex_t regex;
#endif
};
/* what to do when a header matches a regex */
#define ACT_ALLOW 0 /* allow the request */
#define ACT_REPLACE 1 /* replace the matching header */
#define ACT_REMOVE 2 /* remove the matching header */
#define ACT_DENY 3 /* deny the request */
#define ACT_PASS 4 /* pass this header without allowing or denying the request */
#define ACT_TARPIT 5 /* tarpit the connection matching this request */
#define ACT_SETBE 6 /* switch the backend */
struct hdr_exp {
struct hdr_exp *next;
const regex_t *preg; /* expression to look for */
int action; /* ACT_ALLOW, ACT_REPLACE, ACT_REMOVE, ACT_DENY */
const char *replace; /* expression to set instead */
void *cond; /* a possible condition or NULL */
};
extern regmatch_t pmatch[MAX_MATCH];
/* "str" is the string that contain the regex to compile.
* "regex" is preallocated memory. After the execution of this function, this
* struct contain the compiled regex.
* "cs" is the case sensitive flag. If cs is true, case sensitive is enabled.
* "cap" is capture flag. If cap if true the regex can capture into
* parenthesis strings.
* "err" is the standar error message pointer.
*
* The function return 1 is succes case, else return 0 and err is filled.
*/
int regex_comp(const char *str, struct my_regex *regex, int cs, int cap, char **err);
int exp_replace(char *dst, uint dst_size, char *src, const char *str, const regmatch_t *matches);
const char *check_replace_string(const char *str);
const char *chain_regex(struct hdr_exp **head, const regex_t *preg,
int action, const char *replace, void *cond);
/* Note that <subject> MUST be at least <length+1> characters long and must
* be writable because the function will temporarily force a zero past the
* last character.
*/
static inline int regex_exec(const struct my_regex *preg, char *subject, int length) {
#ifdef USE_PCRE_JIT
return pcre_exec(preg->reg, preg->extra, subject, length, 0, 0, NULL, 0);
#else
int match;
char old_char = subject[length];
subject[length] = 0;
match = regexec(&preg->regex, subject, 0, NULL, 0);
subject[length] = old_char;
return match;
#endif
}
static inline void regex_free(struct my_regex *preg) {
#ifdef USE_PCRE_JIT
pcre_free_study(preg->extra);
pcre_free(preg->reg);
#else
regfree(&preg->regex);
#endif
}
#endif /* _COMMON_REGEX_H */
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in New Issue View Git Blame Copy Permalink