mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-13 15:04:42 +00:00
7f2a44d319
Tim Düsterhus found using afl-fuzz that some parts of the HPACK decoder use incorrect bounds checking which do not catch negative values after a type cast. The first culprit is hpack_valid_idx() which takes a signed int and is fed with an unsigned one, but a few others are affected as well due to being designed to work with an uint16_t as in the table header, thus not being able to detect the high offset bits, though they are not exposed if hpack_valid_idx() is fixed. The impact is that the HPACK decoder can be crashed by an out-of-bounds read. The only work-around without this patch is to disable H2 in the configuration. CVE-2018-14645 was assigned to this bug. This patch addresses all of these issues at once. It must be backported to 1.8. |
||
|---|---|---|
| .. | ||
| common | ||
| import | ||
| proto | ||
| types | ||