pool/haproxy
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 400814 from server:http

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/400814
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=39
This commit is contained in:
Dominique Leuenberger 2016-06-14 21:07:07 +00:00 committed by Git OBS Bridge
commit 5707ef87f9
16 changed files with 1112 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch Normal file
View File

@ -0,0 +1,151 @@
From 66dd99c4c9d828c2c2f7295b7db66f7ff6f2fa8e Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.im>
Date: Wed, 18 May 2016 16:17:44 +0200
Subject: [PATCH 01/14] BUG/MAJOR: fix listening IP address storage for
frontends
When compiled with GCC 6, the IP address specified for a frontend was
ignored and HAProxy was listening on all addresses instead. This is
caused by an incomplete copy of a "struct sockaddr_storage".
With the GNU Libc, "struct sockaddr_storage" is defined as this:
struct sockaddr_storage
{
sa_family_t ss_family;
unsigned long int __ss_align;
char __ss_padding[(128 - (2 * sizeof (unsigned long int)))];
};
Doing an aggregate copy (ss1 = ss2) is different than using memcpy():
only members of the aggregate have to be copied. Notably, padding can be
or not be copied. In GCC 6, some optimizations use this fact and if a
"struct sockaddr_storage" contains a "struct sockaddr_in", the port and
the address are part of the padding (between sa_family and __ss_align)
and can be not copied over.
Therefore, we replace any aggregate copy by a memcpy(). There is another
place using the same pattern. We also fix a function receiving a "struct
sockaddr_storage" by copy instead of by reference. Since it only needs a
read-only copy, the function is converted to request a reference.
(cherry picked from commit 6e61589573f49b20a7184c9d297af1fc7d9184d8)
---
include/proto/proto_http.h | 2 +-
src/cfgparse.c | 2 +-
src/connection.c | 2 +-
src/hlua.c | 2 +-
src/proto_http.c | 12 ++++++------
src/proto_tcp.c | 2 +-
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/proto/proto_http.h b/include/proto/proto_http.h
index a1b0cb3..4ed96e3 100644
--- a/include/proto/proto_http.h
+++ b/include/proto/proto_http.h
@@ -110,7 +110,7 @@ void http_set_status(unsigned int status, struct stream *s);
int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name,
unsigned int name_len, const char *str, struct my_regex *re,
int action);
-void inet_set_tos(int fd, struct sockaddr_storage from, int tos);
+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos);
void http_perform_server_redirect(struct stream *s, struct stream_interface *si);
void http_return_srv_error(struct stream *s, struct stream_interface *si);
void http_capture_bad_message(struct error_snapshot *es, struct stream *s,
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 97ec2e1..c118bd4 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -285,7 +285,7 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf,
}
/* OK the address looks correct */
- ss = *ss2;
+ memcpy(&ss, ss2, sizeof(ss));
for (; port <= end; port++) {
l = (struct listener *)calloc(1, sizeof(struct listener));
diff --git a/src/connection.c b/src/connection.c
index b926e9f..991cae3 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -744,7 +744,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
const char pp2_signature[] = PP2_SIGNATURE;
int ret = 0;
struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf;
- struct sockaddr_storage null_addr = {0};
+ struct sockaddr_storage null_addr = { .ss_family = 0 };
struct sockaddr_storage *src = &null_addr;
struct sockaddr_storage *dst = &null_addr;
diff --git a/src/hlua.c b/src/hlua.c
index 5ea3a83..edd288d 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -4790,7 +4790,7 @@ __LJMP static int hlua_txn_set_tos(lua_State *L)
tos = MAY_LJMP(luaL_checkinteger(L, 2));
if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos);
return 0;
}
diff --git a/src/proto_http.c b/src/proto_http.c
index 9de1a17..59cd5d2 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3403,15 +3403,15 @@ int http_handle_stats(struct stream *s, struct channel *req)
/* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets
* (as per RFC3260 #4 and BCP37 #4.2 and #5.2).
*/
-void inet_set_tos(int fd, struct sockaddr_storage from, int tos)
+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos)
{
#ifdef IP_TOS
- if (from.ss_family == AF_INET)
+ if (from->ss_family == AF_INET)
setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
#endif
#ifdef IPV6_TCLASS
- if (from.ss_family == AF_INET6) {
- if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr))
+ if (from->ss_family == AF_INET6) {
+ if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr))
/* v4-mapped addresses need IP_TOS */
setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
else
@@ -3577,7 +3577,7 @@ resume_execution:
case ACT_HTTP_SET_TOS:
if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
break;
case ACT_HTTP_SET_MARK:
@@ -3860,7 +3860,7 @@ resume_execution:
case ACT_HTTP_SET_TOS:
if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
break;
case ACT_HTTP_SET_MARK:
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index cce0acb..59cfea2 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -435,7 +435,7 @@ int tcp_connect_server(struct connection *conn, int data, int delack)
struct sockaddr_storage sa;
ret = 1;
- sa = src->source_addr;
+ memcpy(&sa, &src->source_addr, sizeof(sa));
do {
/* note: in case of retry, we may have to release a previously
--
2.6.6

30
0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch Normal file
View File

@ -0,0 +1,30 @@
From 254646083703fba5cc86cba31118e20f45784ce6 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.im>
Date: Thu, 19 May 2016 11:29:43 +0200
Subject: [PATCH 02/14] BUG/MINOR: fix listening IP address storage for
frontends (cont)
Commit 6e6158 was incomplete. There was an additional aggregate copy
that may trigger a similar case in the future.
(cherry picked from commit 6e46ff11e9c0d0b9266226ad911362c8a62ee458)
---
src/cfgparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index c118bd4..b0f837e 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -296,7 +296,7 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf,
l->bind_conf = bind_conf;
l->fd = fd;
- l->addr = ss;
+ memcpy(&l->addr, &ss, sizeof(ss));
l->xprt = &raw_sock;
l->state = LI_INIT;
--
2.6.6

28
0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch Normal file
View File

@ -0,0 +1,28 @@
From 0c60f3790d6f177f123d4ae63d5f17868c789d12 Mon Sep 17 00:00:00 2001
From: Nenad Merdanovic <nmerdan@anine.io>
Date: Tue, 17 May 2016 03:31:21 +0200
Subject: [PATCH 03/14] DOC: Fix typo so fetch is properly parsed by Cyril's
converter
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
(cherry picked from commit 1516fe31dddc9f50a8783db496072ea67db0adde)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 38bde30..d51d741 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13043,7 +13043,7 @@ ssl_fc_has_sni : boolean
that the SSL library is build with support for TLS extensions enabled (check
haproxy -vv).
-ssl_fc_is_resumed: boolean
+ssl_fc_is_resumed : boolean
Returns true if the SSL/TLS session has been resumed through the use of
SSL session cache or TLS tickets.
--
2.6.6

122
0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch Normal file
View File

@ -0,0 +1,122 @@
From 60f01f8c89e4fb2723d5a9f2046286e699567e0b Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 May 2016 16:23:59 +0200
Subject: [PATCH 04/14] BUG/MAJOR: http: fix breakage of "reqdeny" causing
random crashes
Commit 108b1dd ("MEDIUM: http: configurable http result codes for
http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
a new field "rule_deny_status" into struct http_txn, which is filled only
by actions "http-request deny" and "http-request tarpit". It's then used
in the deny code path to emit the proper error message, but is used
uninitialized when the deny comes from a "reqdeny" rule, causing random
behaviours ranging from returning a 200, an empty response, or crashing
the process. Often upon startup only 200 was returned but after the fields
are used the crash happens. This can be sped up using -dM.
There's no need at all for storing this status in the http_txn struct
anyway since it's used immediately after being set. Let's store it in
a temporary variable instead which is passed as an argument to function
http_req_get_intercept_rule().
As an extra benefit, removing it from struct http_txn reduced the size
of this struct by 8 bytes.
This fix must be backported to 1.6 where the bug was detected. Special
thanks to Falco Schmutz for his detailed report including an exploitable
core and a reproducer.
(cherry picked from commit 58727ec088e55f739b146cff3baa955f8d1b2a3e)
---
include/types/proto_http.h | 1 -
src/proto_http.c | 21 +++++++++++++--------
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
index e5e9667..c3a73ef 100644
--- a/include/types/proto_http.h
+++ b/include/types/proto_http.h
@@ -362,7 +362,6 @@ struct http_txn {
unsigned int flags; /* transaction flags */
enum http_meth_t meth; /* HTTP method */
/* 1 unused byte here */
- short rule_deny_status; /* HTTP status from rule when denying */
short status; /* HTTP status from the server, negative if from proxy */
char *uri; /* first line if log needed, NULL otherwise */
diff --git a/src/proto_http.c b/src/proto_http.c
index 59cd5d2..6eac62b 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
* further processing of the request (auth, deny, ...), and defaults to
* HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
* HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
- * on txn->flags if it encounters a tarpit rule.
+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL
+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
+ * status.
*/
enum rule_result
-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
{
struct session *sess = strm_sess(s);
struct http_txn *txn = s->txn;
@@ -3539,12 +3541,14 @@ resume_execution:
return HTTP_RULE_RES_STOP;
case ACT_ACTION_DENY:
- txn->rule_deny_status = rule->deny_status;
+ if (deny_status)
+ *deny_status = rule->deny_status;
return HTTP_RULE_RES_DENY;
case ACT_HTTP_REQ_TARPIT:
txn->flags |= TX_CLTARPIT;
- txn->rule_deny_status = rule->deny_status;
+ if (deny_status)
+ *deny_status = rule->deny_status;
return HTTP_RULE_RES_DENY;
case ACT_HTTP_REQ_AUTH:
@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
struct redirect_rule *rule;
struct cond_wordlist *wl;
enum rule_result verdict;
+ int deny_status = HTTP_ERR_403;
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
/* we need more data */
@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
/* evaluate http-request rules */
if (!LIST_ISEMPTY(&px->http_req_rules)) {
- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
switch (verdict) {
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
/* parse the whole stats request and extract the relevant information */
http_handle_stats(s, req);
- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
/* not all actions implemented: deny, allow, auth */
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
manage_client_side_cookies(s, req);
txn->flags |= TX_CLDENY;
- txn->status = http_err_codes[txn->rule_deny_status];
+ txn->status = http_err_codes[deny_status];
s->logs.tv_request = now;
- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
stream_inc_http_err_ctr(s);
sess->fe->fe_counters.denied_req++;
if (sess->fe != s->be)
--
2.6.6

293
0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch Normal file
View File

@ -0,0 +1,293 @@
From 5a009af68013ac3f08fd08dad27b5d8ad038724c Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 May 2016 17:07:56 +0200
Subject: [PATCH 05/14] BUG/MEDIUM: stick-tables: fix breakage in table
converters
Baptiste reported that the table_conn_rate() converter would always
return zero in 1.6.5. In fact, commit bc8c404 ("MAJOR: stick-tables:
use sample types in place of dedicated types") broke all stick-table
converters because smp_to_stkey() now returns a pointer to the sample
instead of holding a copy of the key, and the converters used to
reinitialize the sample prior to performing the lookup. Only
"in_table()" continued to work.
The construct is still fragile, so some comments were added to a few
function to clarify their impacts. It's also worth noting that there
is no point anymore in forcing these converters to take a string on
input, but that will be changed in another commit.
The bug was introduced in 1.6-dev4, this fix must be backported to 1.6.
(cherry picked from commit f0c730a0ac21a64af666ffa32a336db2c6f56d1b)
---
src/stick_table.c | 56 +++++++++++++++++++++++++++++++++++++------------------
1 file changed, 38 insertions(+), 18 deletions(-)
diff --git a/src/stick_table.c b/src/stick_table.c
index e5bb168..3e816b2 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -461,6 +461,8 @@ int stktable_parse_type(char **args, int *myidx, unsigned long *type, size_t *ke
}
/* Prepares a stktable_key from a sample <smp> to search into table <t>.
+ * Note that the sample *is* modified and that the returned key may point
+ * to it, so the sample must not be modified afterwards before the lookup.
* Returns NULL if the sample could not be converted (eg: no matching type),
* otherwise a pointer to the static stktable_key filled with what is needed
* for the lookup.
@@ -700,11 +702,12 @@ static int sample_conv_table_bytes_in_rate(const struct arg *arg_p, struct sampl
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -736,11 +739,12 @@ static int sample_conv_table_conn_cnt(const struct arg *arg_p, struct sample *sm
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -771,11 +775,12 @@ static int sample_conv_table_conn_cur(const struct arg *arg_p, struct sample *sm
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -806,11 +811,12 @@ static int sample_conv_table_conn_rate(const struct arg *arg_p, struct sample *s
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -842,11 +848,12 @@ static int sample_conv_table_bytes_out_rate(const struct arg *arg_p, struct samp
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -878,11 +885,12 @@ static int sample_conv_table_gpt0(const struct arg *arg_p, struct sample *smp, v
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -913,11 +921,12 @@ static int sample_conv_table_gpc0(const struct arg *arg_p, struct sample *smp, v
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -948,11 +957,12 @@ static int sample_conv_table_gpc0_rate(const struct arg *arg_p, struct sample *s
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -984,11 +994,12 @@ static int sample_conv_table_http_err_cnt(const struct arg *arg_p, struct sample
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1019,11 +1030,12 @@ static int sample_conv_table_http_err_rate(const struct arg *arg_p, struct sampl
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1055,11 +1067,12 @@ static int sample_conv_table_http_req_cnt(const struct arg *arg_p, struct sample
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1090,11 +1103,12 @@ static int sample_conv_table_http_req_rate(const struct arg *arg_p, struct sampl
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1126,11 +1140,12 @@ static int sample_conv_table_kbytes_in(const struct arg *arg_p, struct sample *s
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1161,11 +1176,12 @@ static int sample_conv_table_kbytes_out(const struct arg *arg_p, struct sample *
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1196,11 +1212,12 @@ static int sample_conv_table_server_id(const struct arg *arg_p, struct sample *s
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1231,11 +1248,12 @@ static int sample_conv_table_sess_cnt(const struct arg *arg_p, struct sample *sm
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1266,11 +1284,12 @@ static int sample_conv_table_sess_rate(const struct arg *arg_p, struct sample *s
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1301,11 +1320,12 @@ static int sample_conv_table_trackers(const struct arg *arg_p, struct sample *sm
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (ts)
smp->data.u.sint = ts->ref_cnt;
--
2.6.6

51
0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch Normal file
View File

@ -0,0 +1,51 @@
From 5f60de08667c3472d95cc20b87753e9fd8520057 Mon Sep 17 00:00:00 2001
From: Lukas Tribus <luky-37@hotmail.com>
Date: Wed, 25 May 2016 22:15:11 +0200
Subject: [PATCH 06/14] BUG/MEDIUM: dns: unbreak DNS resolver after header fix
DNS requests (using the internal resolver) are corrupted since commit
e2f84977165a ("BUG/MINOR: dns: fix DNS header definition").
Fix it by defining the struct in network byte order, while complying
with RFC 2535, section 6.1.
First reported by Eduard Vopicka on discourse.
This must be backported to 1.6 (1.6.5 is affected).
(cherry picked from commit f2ebcb47cbf2af36236fde807c0c21a22d7c1e79)
---
include/types/dns.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/include/types/dns.h b/include/types/dns.h
index e3d2f6b..15fc01b 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -58,16 +58,16 @@
/* DNS request or response header structure */
struct dns_header {
unsigned short id:16; /* identifier */
- unsigned char qr :1; /* query/response 0: query, 1: response */
- unsigned char opcode :4; /* operation code */
- unsigned char aa :1; /* authoritative answer 0: no, 1: yes */
- unsigned char tc :1; /* truncation 0:no, 1: yes */
unsigned char rd :1; /* recursion desired 0: no, 1: yes */
- unsigned char ra :1; /* recursion available 0: no, 1: yes */
- unsigned char z :1; /* not used */
- unsigned char ad :1; /* authentic data */
- unsigned char cd :1; /* checking disabled */
+ unsigned char tc :1; /* truncation 0:no, 1: yes */
+ unsigned char aa :1; /* authoritative answer 0: no, 1: yes */
+ unsigned char opcode :4; /* operation code */
+ unsigned char qr :1; /* query/response 0: query, 1: response */
unsigned char rcode :4; /* response code */
+ unsigned char cd :1; /* checking disabled */
+ unsigned char ad :1; /* authentic data */
+ unsigned char z :1; /* not used */
+ unsigned char ra :1; /* recursion available 0: no, 1: yes */
unsigned short qdcount :16; /* question count */
unsigned short ancount :16; /* answer count */
unsigned short nscount :16; /* authority count */
--
2.6.6

67
0007-BUILD-fix-build-on-Solaris-11.patch Normal file
View File

@ -0,0 +1,67 @@
From a71fda4bf6c3e57997a3873a8bdb2b295b2299a2 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 20 May 2016 06:29:59 +0200
Subject: [PATCH 07/14] BUILD: fix build on Solaris 11
htonll()/ntohll() already exist on Solaris 11 with a different declaration,
causing a build error as reported by Jonathan Fisher. They used to exist on
OSX with a #define which allowed us to detect them. It was a bad idea to give
these functions a name subject to conflicts like this. Simply rename them
my_htonll()/my_ntohll() to definitely get rid of the conflict.
This patch must be backported to 1.6.
(cherry picked from commit 5f6e9054b920b9952baa9860c6ead1039c66e940)
---
include/common/standard.h | 10 +++-------
src/sample.c | 2 +-
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/include/common/standard.h b/include/common/standard.h
index 2cc9f45..88776df 100644
--- a/include/common/standard.h
+++ b/include/common/standard.h
@@ -1009,8 +1009,7 @@ static inline unsigned char utf8_return_length(unsigned char code)
* the whole code is optimized out. In little endian, with a decent compiler,
* a few bswap and 2 shifts are left, which is the minimum acceptable.
*/
-#ifndef htonll
-static inline unsigned long long htonll(unsigned long long a)
+static inline unsigned long long my_htonll(unsigned long long a)
{
union {
struct {
@@ -1021,15 +1020,12 @@ static inline unsigned long long htonll(unsigned long long a)
} w = { .by64 = a };
return ((unsigned long long)htonl(w.by32.w1) << 32) | htonl(w.by32.w2);
}
-#endif
/* Turns 64-bit value <a> from network byte order to host byte order. */
-#ifndef ntohll
-static inline unsigned long long ntohll(unsigned long long a)
+static inline unsigned long long my_ntohll(unsigned long long a)
{
- return htonll(a);
+ return my_htonll(a);
}
-#endif
/* returns a 64-bit a timestamp with the finest resolution available. The
* unit is intentionally not specified. It's mostly used to compare dates.
diff --git a/src/sample.c b/src/sample.c
index ecea85e..527ff62 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -765,7 +765,7 @@ static int c_int2bin(struct sample *smp)
{
struct chunk *chk = get_trash_chunk();
- *(unsigned long long int *)chk->str = htonll(smp->data.u.sint);
+ *(unsigned long long int *)chk->str = my_htonll(smp->data.u.sint);
chk->len = 8;
smp->data.u.str = *chk;
--
2.6.6

38
0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch Normal file
View File

@ -0,0 +1,38 @@
From c4809151b4c9ccc312cb451e99fd556e867242fc Mon Sep 17 00:00:00 2001
From: David CARLIER <devnexen@gmail.com>
Date: Thu, 24 Mar 2016 09:22:36 +0000
Subject: [PATCH 08/14] CLEANUP: connection: fix double negation on memcmp()
Nothing harmful in here, just clarify that it applies to the whole
expression.
(cherry picked from commit 42ff05e2d3d10e8a1e070e66e8883c5eabe196d7)
---
src/connection.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 991cae3..5515188 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -385,7 +385,7 @@ int conn_recv_proxy(struct connection *conn, int flag)
if (trash.len < 9) /* shortest possible line */
goto missing;
- if (!memcmp(line, "TCP4 ", 5) != 0) {
+ if (memcmp(line, "TCP4 ", 5) == 0) {
u32 src3, dst3, sport, dport;
line += 5;
@@ -426,7 +426,7 @@ int conn_recv_proxy(struct connection *conn, int flag)
((struct sockaddr_in *)&conn->addr.to)->sin_port = htons(dport);
conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET;
}
- else if (!memcmp(line, "TCP6 ", 5) != 0) {
+ else if (memcmp(line, "TCP6 ", 5) == 0) {
u32 sport, dport;
char *src_s;
char *dst_s, *sport_s, *dport_s;
--
2.6.6

74
0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch Normal file
View File

@ -0,0 +1,74 @@
From 4cb6ccc835ce0c2c874e9868a62a981278b510f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
Date: Fri, 27 May 2016 00:06:45 +0200
Subject: [PATCH 09/14] BUG/MEDIUM: stats: show servers state may show an
servers from another backend
Olivier Doucet reported that "show servers state" was producing an invalid
output with some configurations where nbproc > 1.
Indeed, commit 76a99784f4 fixed some issues but unfortunately introduced a
regression when a backend bound to the same process as the stats socket and a
previous backend is bound to another one.
For example :
global
daemon
nbproc 2
stats socket /var/run/haproxy-1.sock process 1
stats socket /var/run/haproxy-2.sock process 2
listen proc1
bind 127.0.0.1:9001
bind-process 1
server WRONG 127.0.0.1:80
listen proc2
bind 127.0.0.1:9002
bind-process 2
server RIGHT 127.0.0.1:80
Requesting "show servers state" on /var/run/haproxy-2.sock was producing a line
like :
3 proc2 1 WRONG 127.0.0.1 2 0 1 1 4 1 0 2 0 0 0 0
whereas the line below was awaited :
3 proc2 1 RIGHT 127.0.0.1 2 0 1 1 5 1 0 2 0 0 0 0
This was caused by the initialization of the server loop too early, before the
bind_proc filtering whereas it should be done after.
This fix should be backported to 1.6, where the regression has unfortunately
been backported.
(cherry picked from commit d55bd7a6a934387cdc5df7ad3fbc2718dc3a724e)
---
src/dumpstats.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/dumpstats.c b/src/dumpstats.c
index b9f5719..4614cf2 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -2755,6 +2755,9 @@ static int dump_servers_state(struct stream_interface *si, struct chunk *buf)
if (appctx->ctx.server_state.px->bind_proc && !(appctx->ctx.server_state.px->bind_proc & (1UL << (relative_pid - 1))))
return 1;
+ if (!appctx->ctx.server_state.sv)
+ appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv;
+
for (; appctx->ctx.server_state.sv != NULL; appctx->ctx.server_state.sv = srv->next) {
srv = appctx->ctx.server_state.sv;
srv_addr[0] = '\0';
@@ -2857,8 +2860,6 @@ static int stats_dump_servers_state_to_buffer(struct stream_interface *si)
for (; appctx->ctx.server_state.px != NULL; appctx->ctx.server_state.px = curproxy->next) {
curproxy = appctx->ctx.server_state.px;
- if (!appctx->ctx.server_state.sv)
- appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv;
/* servers are only in backends */
if (curproxy->cap & PR_CAP_BE) {
if (!dump_servers_state(si, &trash))
--
2.6.6

30
0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch Normal file
View File

@ -0,0 +1,30 @@
From ff8957a6f44061594b0e2456de172b7c9f453a3f Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 20 May 2016 17:28:07 +0200
Subject: [PATCH 10/14] BUG/MEDIUM: fix risk of segfault with "show tls-keys"
The reference to the tls_keys_ref was not deleted from the
tlskeys_reference linked list.
When the SSL is malconfigured, it can lead to an access to freed memory
during a "show tls-keys" on the admin socked.
(cherry picked from commit 7bba4ccfb68b2fc0e76f51bcca7cdcb1388c4023)
---
src/cfgparse.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index b0f837e..7025b6a 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8728,6 +8728,7 @@ out_uri_auth_compat:
if(bind_conf->keys_ref) {
free(bind_conf->keys_ref->filename);
free(bind_conf->keys_ref->tlskeys);
+ LIST_DEL(&bind_conf->keys_ref->list);
free(bind_conf->keys_ref);
}
#endif /* USE_OPENSSL */
--
2.6.6

51
0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch Normal file
View File

@ -0,0 +1,51 @@
From 4693e2302271252044038c9be38487fb16218e5b Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Mon, 6 Jun 2016 18:28:05 +0200
Subject: [PATCH 11/14] BUG/MEDIUM: sticktables: segfault in some configuration
error cases
When a stick table is tracked, and another one is used later on the
configuration, a segfault occurs.
The function "smp_create_src_stkctr" can return a NULL value, and
its value is not tested, so one other function try to dereference
a NULL pointer. This patch just add a verification of the NULL
pointer.
The problem is reproduced with this configuration:
listen www
mode http
bind :12345
tcp-request content track-sc0 src table IPv4
http-request allow if { sc0_inc_gpc0(IPv6) gt 0 }
server dummy 127.0.0.1:80
backend IPv4
stick-table type ip size 10 expire 60s store gpc0
backend IPv6
stick-table type ipv6 size 10 expire 60s store gpc0
Thank to kabefuna@gmail.com for the bug report.
This patch must be backported in the 1.6 and 1.5 version.
(cherry picked from commit 6fc340ff07171bb85d11d835fa4158bbdef240a0)
---
src/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/stream.c b/src/stream.c
index 4ba8010..d80efa5 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -2855,7 +2855,7 @@ smp_fetch_sc_inc_gpc0(const struct arg *args, struct sample *smp, const char *kw
if (stkctr_entry(stkctr) == NULL)
stkctr = smp_create_src_stkctr(smp->sess, smp->strm, args, kw);
- if (stkctr_entry(stkctr) != NULL) {
+ if (stkctr && stkctr_entry(stkctr)) {
void *ptr1,*ptr2;
/* First, update gpc0_rate if it's tracked. Second, update its
--
2.6.6

35
0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch Normal file
View File

@ -0,0 +1,35 @@
From 7e3cfc9e48673314f7b970a054339306cef20928 Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Fri, 27 May 2016 16:35:01 +0200
Subject: [PATCH 12/14] BUG/MEDIUM: lua: converters doesn't work
The number of arguments pushed in the stack are false, so we try to execute a
function out of the stack. This function is always a nil pointer, so the
following message is displayed.
Lua converter 'testconv': runtime error: attempt to call a nil value.
Thanks Michael Ezzell for the repporting.
This patch must be backported in the 1.6 version.
(cherry picked from commit 4a53bfdc1de46c78a23eabdefc4b418cff7d0403)
---
src/hlua.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/hlua.c b/src/hlua.c
index edd288d..185c4c1 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -5167,7 +5167,7 @@ static int hlua_sample_conv_wrapper(const struct arg *arg_p, struct sample *smp,
return 0;
}
hlua_smp2lua(stream->hlua.T, smp);
- stream->hlua.nargs = 2;
+ stream->hlua.nargs = 1;
/* push keywords in the stack. */
if (arg_p) {
--
2.6.6

31
0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch Normal file
View File

@ -0,0 +1,31 @@
From d281d68d3aa010f7e1a635c92ab486f7f2c666b9 Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Wed, 1 Jun 2016 13:36:20 +0200
Subject: [PATCH 13/14] BUG/MINOR: http: add-header: header name copied twice
The header name is copied two time in the buffer. The first copy is a printf-like
function writing the name and the http separators in the buffer, and the second
form is a memcopy. This seems to be inherited from some changes. This patch
removes the printf like, format.
This patch must be backported in 1.6 and 1.5 versions
(cherry picked from commit 53c1a9b7cb8f3fe79b5492218363b6c0ff608fc1)
---
src/proto_http.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 6eac62b..0d9dd31 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3615,7 +3615,6 @@ resume_execution:
case ACT_HTTP_SET_HDR:
case ACT_HTTP_ADD_HDR:
- chunk_printf(&trash, "%s: ", rule->arg.hdr_add.name);
memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len);
trash.len = rule->arg.hdr_add.name_len;
trash.str[trash.len++] = ':';
--
2.6.6

64
0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch Normal file
View File

@ -0,0 +1,64 @@
From f5cb61d3224df4075e2ce3172733a25a1fab7fca Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Wed, 1 Jun 2016 13:35:36 +0200
Subject: [PATCH 14/14] BUG/MEDIUM: http: add-header: buffer overwritten
If we use the action "http-request add-header" with a Lua sample-fetch or
converter, and the Lua function calls one of the Lua log function, the
header name is corrupted, it contains an extract of the last loggued data.
This is due to an overwrite of the trash buffer, because his scope is not
respected in the "add-header" function. The scope of the trash buffer must
be limited to the function using it. The build_logline() function can
execute a lot of other function which can use the trash buffer.
This patch fix the usage of the trash buffer. It limits the scope of this
global buffer to the local function, we build first the header value using
build_logline, and after we store the header name.
Thanks Michael Ezzell for the repporting.
This patch must be backported in 1.6 version
(cherry picked from commit 4b788f7d349ddde3f70f063b7394529eac6ab678)
---
src/proto_http.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 0d9dd31..fd1f108 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3504,6 +3504,7 @@ http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream
struct hdr_ctx ctx;
const char *auth_realm;
int act_flags = 0;
+ int len;
/* If "the current_rule_list" match the executed rule list, we are in
* resume condition. If a resume is needed it is always in the action
@@ -3615,11 +3616,18 @@ resume_execution:
case ACT_HTTP_SET_HDR:
case ACT_HTTP_ADD_HDR:
+ /* The scope of the trash buffer must be limited to this function. The
+ * build_logline() function can execute a lot of other function which
+ * can use the trash buffer. So for limiting the scope of this global
+ * buffer, we build first the header value using build_logline, and
+ * after we store the header name.
+ */
+ len = rule->arg.hdr_add.name_len + 2,
+ len += build_logline(s, trash.str + len, trash.size - len, &rule->arg.hdr_add.fmt);
memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len);
- trash.len = rule->arg.hdr_add.name_len;
- trash.str[trash.len++] = ':';
- trash.str[trash.len++] = ' ';
- trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt);
+ trash.str[rule->arg.hdr_add.name_len] = ':';
+ trash.str[rule->arg.hdr_add.name_len + 1] = ' ';
+ trash.len = len;
if (rule->action == ACT_HTTP_SET_HDR) {
/* remove all occurrences of the header */
--
2.6.6

19
haproxy.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Jun 9 12:48:27 UTC 2016 - mrueckert@suse.de
- pull patches from git to fix some important issues (bsc#983972) (bsc#983974):
0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
0007-BUILD-fix-build-on-Solaris-11.patch
0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
-------------------------------------------------------------------
Tue May 10 14:24:24 UTC 2016 - mrueckert@suse.de

28
haproxy.spec
View File

@ -74,6 +74,20 @@ Source4: haproxy.cfg
Patch1: haproxy-1.6.0_config_haproxy_user.patch
Patch2: haproxy-1.6.0-makefile_lib.patch
Patch3: haproxy-1.6.0-sec-options.patch
Patch11: 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
Patch12: 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
Patch13: 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
Patch14: 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
Patch15: 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
Patch16: 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
Patch17: 0007-BUILD-fix-build-on-Solaris-11.patch
Patch18: 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
Patch19: 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
Patch20: 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
Patch21: 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
Patch22: 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
Patch23: 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
Patch24: 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
#
Source99: haproxy-rpmlintrc
#
@ -107,6 +121,20 @@ the most work done from every CPU cycle.
%patch1 -p1
%patch2
%patch3
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%build
%{__make} \