[BUG] fix segfault with url_param + check_post

If an HTTP/0.9-like POST request is sent to haproxy while configured with url_param + check_post, it will crash. The reason is that the total buffer length was computed based on req->total (which equals the number of bytes read) and not req->l (number of bytes in the buffer), thus leading to wrong size calculations when calling memchr(). The affected code does not look like it could have been exploited to run arbitrary code, only reads were performed at wrong locations. (cherry picked from commit fb0528bd56063e9800c7dd6fbd96b3c5c6a687f2)
2026-01-16 22:31:42 +01:00 · 2008-08-11 00:21:56 +02:00 · 2008-08-11 00:21:56 +02:00 · 3449d158ad
commit 3449d158ad
parent 0e3e59b11f
2 changed files with 6 additions and 6 deletions
--- a/src/backend.c
+++ b/src/backend.c
@ -1201,7 +1201,7 @@ struct server *get_server_ph_post(struct session *s)
 		return NULL;

        body = msg->sol[msg->eoh] == '\r' ? msg->eoh + 2 : msg->eoh + 1;
-        len  = req->total - body;
+        len  = req->l - body;
        params = req->data + body;

 	if ( len == 0 )
--- a/src/proto_http.c
+++ b/src/proto_http.c
@ -2077,7 +2077,7 @@ int process_cli(struct session *t)
                 */
 		if (!(t->flags & (SN_ASSIGNED|SN_DIRECT)) &&
 		     t->txn.meth == HTTP_METH_POST && t->be->url_param_name != NULL &&
-		     t->be->url_param_post_limit != 0 && req->total < BUFSIZE &&
+		     t->be->url_param_post_limit != 0 && req->l < BUFSIZE &&
 		     memchr(msg->sol + msg->sl.rq.u, '?', msg->sl.rq.u_l) == NULL) {
 			/* are there enough bytes here? total == l || r || rlim ?
 			 * len is unsigned, but eoh is int,
@ -2085,7 +2085,7 @@ int process_cli(struct session *t)
 			 * eoh is the first empty line of the header
 			 */
                        /* already established CRLF or LF at eoh, move to start of message, find message length in buffer */
-			unsigned long len = req->total - (msg->sol[msg->eoh] == '\r' ? msg->eoh + 2 : msg->eoh + 1);
+			unsigned long len = req->l - (msg->sol[msg->eoh] == '\r' ? msg->eoh + 2 : msg->eoh + 1);

 			/* If we have HTTP/1.1 and Expect: 100-continue, then abort.
 			 * We can't assume responsibility for the server's decision,
@ -3615,7 +3615,7 @@ int process_srv(struct session *t)
 			 */
 			struct http_msg * msg = &t->txn.req;
                        unsigned long body = msg->sol[msg->eoh] == '\r' ? msg->eoh + 2 :msg->eoh + 1;
-                        unsigned long len  = req->total - body;
+                        unsigned long len  = req->l - body;
 			long long limit = t->be->url_param_post_limit;
 			struct hdr_ctx ctx;
 			ctx.idx = 0;
@ -3623,7 +3623,7 @@ int process_srv(struct session *t)
 			http_find_header2("Transfer-Encoding", 17, msg->sol, &txn->hdr_idx, &ctx);
 			if ( ctx.idx && strncasecmp(ctx.line+ctx.val,"chunked",ctx.vlen)==0) {
 				unsigned int chunk = 0;
-			        while ( body < req->total && !HTTP_IS_CRLF(msg->sol[body])) {
+			        while ( body < req->l && !HTTP_IS_CRLF(msg->sol[body])) {
 					char c = msg->sol[body];
 					if (ishex(c)) {
 						unsigned int hex = toupper(c) - '0';
@ -3635,7 +3635,7 @@ int process_srv(struct session *t)
 					body++;
 					len--;
 				}
-				if ( body == req->total )
+				if ( body + 2 >= req->l )
 					return 0; /* end of buffer? data missing! */

 				if ( memcmp(msg->sol+body, "\r\n", 2) != 0 )