rpm/haproxy
SHA256
1
0
Fork 0
forked from pool/haproxy
Code Pull Requests Activity
5707ef87f9
haproxy/0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch

65 lines
2.7 KiB
Diff
Raw Normal View History

- pull patches from git to fix some important issues: 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=129
2016-06-09 14:56:55 +02:00
From f5cb61d3224df4075e2ce3172733a25a1fab7fca Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Wed, 1 Jun 2016 13:35:36 +0200
Subject: [PATCH 14/14] BUG/MEDIUM: http: add-header: buffer overwritten
If we use the action "http-request add-header" with a Lua sample-fetch or
converter, and the Lua function calls one of the Lua log function, the
header name is corrupted, it contains an extract of the last loggued data.
This is due to an overwrite of the trash buffer, because his scope is not
respected in the "add-header" function. The scope of the trash buffer must
be limited to the function using it. The build_logline() function can
execute a lot of other function which can use the trash buffer.
This patch fix the usage of the trash buffer. It limits the scope of this
global buffer to the local function, we build first the header value using
build_logline, and after we store the header name.
Thanks Michael Ezzell for the repporting.
This patch must be backported in 1.6 version
(cherry picked from commit 4b788f7d349ddde3f70f063b7394529eac6ab678)
---
src/proto_http.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 0d9dd31..fd1f108 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3504,6 +3504,7 @@ http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream
struct hdr_ctx ctx;
const char *auth_realm;
int act_flags = 0;
+ int len;
/* If "the current_rule_list" match the executed rule list, we are in
* resume condition. If a resume is needed it is always in the action
@@ -3615,11 +3616,18 @@ resume_execution:
case ACT_HTTP_SET_HDR:
case ACT_HTTP_ADD_HDR:
+ /* The scope of the trash buffer must be limited to this function. The
+ * build_logline() function can execute a lot of other function which
+ * can use the trash buffer. So for limiting the scope of this global
+ * buffer, we build first the header value using build_logline, and
+ * after we store the header name.
+ */
+ len = rule->arg.hdr_add.name_len + 2,
+ len += build_logline(s, trash.str + len, trash.size - len, &rule->arg.hdr_add.fmt);
memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len);
- trash.len = rule->arg.hdr_add.name_len;
- trash.str[trash.len++] = ':';
- trash.str[trash.len++] = ' ';
- trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt);
+ trash.str[rule->arg.hdr_add.name_len] = ':';
+ trash.str[rule->arg.hdr_add.name_len + 1] = ' ';
+ trash.len = len;
if (rule->action == ACT_HTTP_SET_HDR) {
/* remove all occurrences of the header */
--
2.6.6
Copy Permalink