mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter

Browse Source 
When resolving variable values the temporary trash chunks are used so
when calling the 'jwt_verify' converter with two variable parameters
like in the following line, the input would be overwritten by the value
of the second parameter :
    var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)
Copying the values into dedicated alloc'ed buffers prevents any new call
to get_trash_chunk from erasing the data we need in the converter.

This patch can be backported up to 2.8.
This commit is contained in:
Remi Tricot-Le Breton 2025-06-30 16:56:22 +02:00 committed by William Lallemand
parent 5ba0a2d527
commit 3465f88f8a
1 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/sample.c
View File

@ -4491,19 +4491,53 @@ static int sample_conv_jwt_verify(const struct arg *args, struct sample *smp, vo
{
struct sample alg_smp, key_smp;
enum jwt_vrfy_status ret;
struct buffer *input = NULL;
struct buffer *alg = NULL;
struct buffer *key = NULL;
int retval = 0;
/* The two following calls to 'sample_conv_var2smp_str' will both make
* use of the preallocated trash buffer (via get_trash_chunk call in
* smp_dup) which would end up erasing the contents of the 'smp' input
* buffer.
*/
input = alloc_trash_chunk();
if (!input)
return 0;
alg = alloc_trash_chunk();
if (!alg)
goto end;
key = alloc_trash_chunk();
if (!key)
goto end;
if (!chunk_cpy(input, &smp->data.u.str))
goto end;
smp_set_owner(&alg_smp, smp->px, smp->sess, smp->strm, smp->opt);
smp_set_owner(&key_smp, smp->px, smp->sess, smp->strm, smp->opt);
if (!sample_conv_var2smp_str(&args[0], &alg_smp))
return 0;
if (!sample_conv_var2smp_str(&args[1], &key_smp))
return 0;
goto end;
if (chunk_printf(alg, "%.*s", (int)b_data(&alg_smp.data.u.str), b_orig(&alg_smp.data.u.str)) <= 0)
goto end;
ret = jwt_verify(&smp->data.u.str, &alg_smp.data.u.str, &key_smp.data.u.str);
smp_set_owner(&key_smp, smp->px, smp->sess, smp->strm, smp->opt);
if (!sample_conv_var2smp_str(&args[1], &key_smp))
goto end;
if (chunk_printf(key, "%.*s", (int)b_data(&key_smp.data.u.str), b_orig(&key_smp.data.u.str)) <= 0)
goto end;
ret = jwt_verify(input, alg, key);
smp->data.type = SMP_T_SINT;
smp->data.u.sint = ret;
return 1;
retval = 1;
end:
free_trash_chunk(input);
free_trash_chunk(alg);
free_trash_chunk(key);
return retval;
}