From 26db59ea6b1f7319f53aca34bc64c4f180247e98 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sun, 28 Nov 2010 06:57:24 +0100 Subject: [PATCH] [BUG] http: correctly update the header list when removing two consecutive headers When a header is removed, the previous header's next pointer is updated to reflect the next of the current header. However, when cycling through the loop, we update the prev pointer to point to the deleted header, which means that if we delete another header, it's the deleted header's next pointer that will be updated, leaving the deleted header in the list with a null length, which is forbidden. We must just not update the prev pointer after a removal. This bug was present when either "reqdel" and "rspdel" removed two consecutive headers. It could also occur when removing cookies in either requests or responses, but since headers were the last header processing, the issue remained unnoticed. Issue reported by Hank A. Paulson. This fix must be ported to 1.4 and possibly 1.3. --- src/proto_http.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/proto_http.c b/src/proto_http.c index 5385ffc23..47bdb6329 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -5553,6 +5553,7 @@ int apply_filter_to_req_headers(struct session *t, struct buffer *req, struct hd txn->hdr_idx.used--; cur_hdr->len = 0; cur_end = NULL; /* null-term has been rewritten */ + cur_idx = old_idx; break; } @@ -6325,6 +6326,7 @@ void manage_client_side_cookies(struct session *t, struct buffer *req) txn->hdr_idx.v[old_idx].next = cur_hdr->next; txn->hdr_idx.used--; cur_hdr->len = 0; + cur_idx = old_idx; } hdr_next += delta; http_msg_move_end(&txn->req, delta); @@ -6417,6 +6419,7 @@ int apply_filter_to_resp_headers(struct session *t, struct buffer *rtr, struct h txn->hdr_idx.used--; cur_hdr->len = 0; cur_end = NULL; /* null-term has been rewritten */ + cur_idx = old_idx; break; } @@ -6806,6 +6809,7 @@ void manage_server_side_cookies(struct session *t, struct buffer *res) txn->hdr_idx.v[old_idx].next = cur_hdr->next; txn->hdr_idx.used--; cur_hdr->len = 0; + cur_idx = old_idx; hdr_next += delta; http_msg_move_end(&txn->rsp, delta); /* note: while both invalid now, and