rpm/haproxy
SHA256
1
0
Fork 0
forked from pool/haproxy
Code Pull Requests Activity
9062a2b6ea
haproxy/0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
Marcus Rueckert 55e4255fc5 - pull patches from git to fix some important issues: 
0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
  0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
  0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
  0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
  0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
  0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
  0007-BUILD-fix-build-on-Solaris-11.patch
  0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
  0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
  0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
  0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
  0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
  0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
  0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch

OBS-URL: https://build.opensuse.org/package/show/server:http/haproxy?expand=0&rev=129
2016-06-09 12:56:55 +00:00

65 lines
2.7 KiB
Diff
Raw Blame History

From f5cb61d3224df4075e2ce3172733a25a1fab7fca Mon Sep 17 00:00:00 2001
From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Wed, 1 Jun 2016 13:35:36 +0200
Subject: [PATCH 14/14] BUG/MEDIUM: http: add-header: buffer overwritten
If we use the action "http-request add-header" with a Lua sample-fetch or
converter, and the Lua function calls one of the Lua log function, the
header name is corrupted, it contains an extract of the last loggued data.
This is due to an overwrite of the trash buffer, because his scope is not
respected in the "add-header" function. The scope of the trash buffer must
be limited to the function using it. The build_logline() function can
execute a lot of other function which can use the trash buffer.
This patch fix the usage of the trash buffer. It limits the scope of this
global buffer to the local function, we build first the header value using
build_logline, and after we store the header name.
Thanks Michael Ezzell for the repporting.
This patch must be backported in 1.6 version
(cherry picked from commit 4b788f7d349ddde3f70f063b7394529eac6ab678)
---
src/proto_http.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 0d9dd31..fd1f108 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3504,6 +3504,7 @@ http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream
struct hdr_ctx ctx;
const char *auth_realm;
int act_flags = 0;
+ int len;
/* If "the current_rule_list" match the executed rule list, we are in
* resume condition. If a resume is needed it is always in the action
@@ -3615,11 +3616,18 @@ resume_execution:
case ACT_HTTP_SET_HDR:
case ACT_HTTP_ADD_HDR:
+ /* The scope of the trash buffer must be limited to this function. The
+ * build_logline() function can execute a lot of other function which
+ * can use the trash buffer. So for limiting the scope of this global
+ * buffer, we build first the header value using build_logline, and
+ * after we store the header name.
+ */
+ len = rule->arg.hdr_add.name_len + 2,
+ len += build_logline(s, trash.str + len, trash.size - len, &rule->arg.hdr_add.fmt);
memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len);
- trash.len = rule->arg.hdr_add.name_len;
- trash.str[trash.len++] = ':';
- trash.str[trash.len++] = ' ';
- trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt);
+ trash.str[rule->arg.hdr_add.name_len] = ':';
+ trash.str[rule->arg.hdr_add.name_len + 1] = ' ';
+ trash.len = len;
if (rule->action == ACT_HTTP_SET_HDR) {
/* remove all occurrences of the header */
--
2.6.6
View Git Blame Copy Permalink