mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-08 08:07:10 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: h1: Really skip all updates when incomplete messages are parsed

Browse Source 
In h1_headers_to_hdr_list, when an incomplete message is parsed, all updates
must be skipped until the end of the message is found. Then the parsing is
restarted from the beginning. But not all updates were skipped, leading to
invalid rewritting or segfault.

No backport is needed.
This commit is contained in:
Christopher Faulet 2018-09-19 14:01:04 +02:00 committed by Willy Tarreau
parent f147479bd5
commit 2912f87443
1 changed files with 49 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/h1.c
View File

@ -1240,9 +1240,11 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
http_msg_hdr_name: http_msg_hdr_name:
/* assumes sol points to the first char */ /* assumes sol points to the first char */
if (likely(HTTP_IS_TOKEN(*ptr))) { if (likely(HTTP_IS_TOKEN(*ptr))) {
if (!skip_update) {
/* turn it to lower case if needed */ /* turn it to lower case if needed */
if (isupper((unsigned char)*ptr) && h1m->flags & H1_MF_TOLOWER) if (isupper((unsigned char)*ptr) && h1m->flags & H1_MF_TOLOWER)
*ptr = tolower(*ptr); *ptr = tolower(*ptr);
}
EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_name, http_msg_ood, state, H1_MSG_HDR_NAME); EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_name, http_msg_ood, state, H1_MSG_HDR_NAME);
} }
@ -1287,9 +1289,11 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
case H1_MSG_HDR_L1_LWS: case H1_MSG_HDR_L1_LWS:
http_msg_hdr_l1_lws: http_msg_hdr_l1_lws:
if (likely(HTTP_IS_SPHT(*ptr))) { if (likely(HTTP_IS_SPHT(*ptr))) {
if (!skip_update) {
/* replace HT,CR,LF with spaces */ /* replace HT,CR,LF with spaces */
for (; start + sov < ptr; sov++) for (; start + sov < ptr; sov++)
start[sov] = ' '; start[sov] = ' ';
}
goto http_msg_hdr_l1_sp; goto http_msg_hdr_l1_sp;
} }
/* we had a header consisting only in spaces ! */ /* we had a header consisting only in spaces ! */
@ -1348,9 +1352,11 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
case H1_MSG_HDR_L2_LWS: case H1_MSG_HDR_L2_LWS:
http_msg_hdr_l2_lws: http_msg_hdr_l2_lws:
if (unlikely(HTTP_IS_SPHT(*ptr))) { if (unlikely(HTTP_IS_SPHT(*ptr))) {
if (!skip_update) {
/* LWS: replace HT,CR,LF with spaces */ /* LWS: replace HT,CR,LF with spaces */
for (; start + eol < ptr; eol++) for (; start + eol < ptr; eol++)
start[eol] = ' '; start[eol] = ' ';
}
goto http_msg_hdr_val; goto http_msg_hdr_val;
} }
http_msg_complete_header: http_msg_complete_header:
@ -1363,6 +1369,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
* adjusting <eol> and <sov> which are no more used after this. * adjusting <eol> and <sov> which are no more used after this.
* We can add the header field to the list. * We can add the header field to the list.
*/ */
if (likely(!skip_update)) {
while (sov < eol && HTTP_IS_LWS(start[sov])) while (sov < eol && HTTP_IS_LWS(start[sov]))
sov++; sov++;
@ -1373,7 +1380,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
n = ist2(start + sol, col - sol); n = ist2(start + sol, col - sol);
v = ist2(start + sov, eol - sov); v = ist2(start + sov, eol - sov);
if (likely(!skip_update)) do { do {
int ret; int ret;
if (unlikely(hdr_count >= hdr_num)) { if (unlikely(hdr_count >= hdr_num)) {
@ -1402,8 +1409,10 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
http_set_hdr(&hdr[hdr_count++], n, v); http_set_hdr(&hdr[hdr_count++], n, v);
} while (0); } while (0);
}
sol = ptr - start; sol = ptr - start;
if (likely(!HTTP_IS_CRLF(*ptr))) if (likely(!HTTP_IS_CRLF(*ptr)))
goto http_msg_hdr_name; goto http_msg_hdr_name;