mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-27 23:22:09 +00:00
haproxy public development tree
5dfc5d5cd0
The HPACK header table is implemented as a wrapping list inside a contigous area. Headers names and values are stored from right to left while indexes are stored from left to right. When there's no more room to store a new one, we wrap to the right again, or possibly defragment it if needed. The condition do use the right part (called tailroom) or the left part (called headroom) depends on the location of the last inserted header. After wrapping happens, the code forces to stick to tailroom by pretending there's no more headroom, so that the size fit test always fails. The problem is that nothing prevents from storing a header with an empty name and empty value, resulting in a total size of zero bytes, which satisfies the condition to use the headroom. Doing this in a wrapped buffer results in changing the "front" header index and causing miscalculations on the available size and the addresses of the next headers. This may even allow to overwrite some parts of the index, opening the possibility to perform arbitrary writes into a 32-bit relative address space. This patch fixes the issue by making sure the headroom is considered only when the buffer does not wrap, instead of relying on the zero size. This must be backported to all versions supporting H2, which is as far as 1.8. Many thanks to Felix Wilhelm of Google Project Zero for responsibly reporting this problem with a reproducer and a detailed analysis. CVE-2020-11100 was assigned to this issue. |
||
|---|---|---|
| .github | ||
| contrib | ||
| doc | ||
| ebtree | ||
| examples | ||
| include | ||
| reg-tests | ||
| scripts | ||
| src | ||
| tests | ||
| .cirrus.yml | ||
| .gitignore | ||
| .travis.yml | ||
| BRANCHES | ||
| CHANGELOG | ||
| CONTRIBUTING | ||
| INSTALL | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| README | ||
| ROADMAP | ||
| SUBVERS | ||
| VERDATE | ||
| VERSION | ||
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)