RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
haproxy/include
History
Willy Tarreau 58727ec088 BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes 
Commit 108b1dd ("MEDIUM: http: configurable http result codes for
http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
a new field "rule_deny_status" into struct http_txn, which is filled only
by actions "http-request deny" and "http-request tarpit". It's then used
in the deny code path to emit the proper error message, but is used
uninitialized when the deny comes from a "reqdeny" rule, causing random
behaviours ranging from returning a 200, an empty response, or crashing
the process. Often upon startup only 200 was returned but after the fields
are used the crash happens. This can be sped up using -dM.

There's no need at all for storing this status in the http_txn struct
anyway since it's used immediately after being set. Let's store it in
a temporary variable instead which is passed as an argument to function
http_req_get_intercept_rule().

As an extra benefit, removing it from struct http_txn reduced the size
of this struct by 8 bytes.

This fix must be backported to 1.6 where the bug was detected. Special
thanks to Falco Schmutz for his detailed report including an exploitable
core and a reproducer.
 		2016-05-25 16:23:59 +02:00
..
common MINOR: add list_append_word function 2016-05-14 00:00:54 +02:00
import MINOR: lru: new function to delete <nb> least recently used keys 2016-01-11 07:31:35 +01:00
proto BUG/MAJOR: fix listening IP address storage for frontends 2016-05-19 10:43:24 +02:00
types BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes 2016-05-25 16:23:59 +02:00