forked from pool/haproxy
26c4149063
- Backport patches from upstream: - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - BUG/MAJOR: http: don't call http_send_name_header() after an error - Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch - Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch - Backport patches from upstream: - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() - DOC: usesrc root privileges requirements - BUILD: ssl: Allow building against libssl without SSLv3. - DOC/MINOR: fix OpenBSD versions where haproxy works - BUG/MINOR: http/sample: gmtime/localtime can fail - DOC: typo in 'redirect', 302 code meaning - DOC: mention that %ms is left-padded with zeroes. - CLEANUP: .gitignore: ignore more test files - CLEANUP: .gitignore: finally ignore everything but what is known. - MEDIUM: config: emit a warning on a frontend without listener - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry - DOC: ssl: missing LF - DOC: fix example of http-request using ssl_fc_session_id - Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch - Add 0002-DOC-usesrc-root-privileges-requirements.patch - Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch - Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch - Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch - Add 0006-DOC-typo-in-redirect-302-code-meaning.patch - Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch - Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch - Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch - Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch (forwarded request 329653 from KGronlund) OBS-URL: https://build.opensuse.org/request/show/329654 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=32
50 lines
2.1 KiB
Diff
50 lines
2.1 KiB
Diff
From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
|
|
From: Willy Tarreau <w@1wt.eu>
|
|
Date: Mon, 7 Sep 2015 19:32:33 +0200
|
|
Subject: [PATCH 15/15] BUG/MAJOR: http: don't call http_send_name_header()
|
|
after an error
|
|
|
|
A crash was reported when using the "famous" http-send-name-header
|
|
directive. This time it's a bit tricky, it requires a certain number of
|
|
conditions to be met including maxconn on a server, queuing, timeout in
|
|
the queue and cookie-based persistence.
|
|
|
|
The problem is that in stream.c, before calling http_send_name_header(),
|
|
we check a number of conditions to know if we have to replace the header
|
|
name. But prior to reaching this place, it's possible for
|
|
sess_update_stream_int() to fail and change the stream-int's state to
|
|
SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
|
|
http_send_name_header() can only be called with valid buffer contents
|
|
matching the http_msg's description. So when it rewinds the stream to
|
|
modify the header, buf->o becomes negative by the size of the incoming
|
|
request and is used as the argument to memmove() which basically
|
|
displaces 4GB of memory off a few bytes to write the new name, resulting
|
|
in a core and a core file that's really not fun to play with.
|
|
|
|
The solution obviously consists in refraining from calling this nasty
|
|
function when the stream interface is already closed.
|
|
|
|
This bug also affects 1.5 and possibly 1.4, so the fix must be backported
|
|
there.
|
|
(cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
|
|
---
|
|
src/session.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/session.c b/src/session.c
|
|
index 6d62e36..7520a85 100644
|
|
--- a/src/session.c
|
|
+++ b/src/session.c
|
|
@@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)
|
|
|
|
/* Now we can add the server name to a header (if requested) */
|
|
/* check for HTTP mode and proxy server_name_hdr_name != NULL */
|
|
- if ((s->si[1].state >= SI_ST_CON) &&
|
|
+ if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&
|
|
(s->be->server_id_hdr_name != NULL) &&
|
|
(s->be->mode == PR_MODE_HTTP) &&
|
|
objt_server(s->target)) {
|
|
--
|
|
2.1.4
|
|
|