From 52fd8a1b7b8a5a328cb5f4fabd42d2ca7af78760 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 15 Nov 2022 10:46:28 +0100 Subject: [PATCH] BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once When the request data are copied in a mbuf, if the free space is too small to copy all data at once, the data length is shortened. When this is performed, we reserve the size of the STDIN recod header and eventually the same for the empty STDIN record if it is the last HTX block of the request. However, there is no test to be sure the free space is large enough. Thus, on this special case, when the mbuf is almost full, it is possible to overflow the value length. Because of this bug, it is possible to experience crashes from time to time. This patch should fix the issue #1923. It must be backported as far as 2.4. --- src/mux_fcgi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c index ab76fbb5b..a94d2732e 100644 --- a/src/mux_fcgi.c +++ b/src/mux_fcgi.c @@ -2190,7 +2190,9 @@ static size_t fcgi_strm_send_stdin(struct fcgi_conn *fconn, struct fcgi_strm *fs b_data(&outbuf) + v.len + extra_bytes <= b_room(mbuf) && b_data(mbuf) <= MAX_DATA_REALIGN) goto realign_again; - v.len = b_room(&outbuf) - FCGI_RECORD_HEADER_SZ - extra_bytes; + v.len = (FCGI_RECORD_HEADER_SZ + extra_bytes > b_room(&outbuf) + ? 0 + : b_room(&outbuf) - FCGI_RECORD_HEADER_SZ - extra_bytes); } if (!v.len || !chunk_memcat(&outbuf, v.ptr, v.len)) { if (outbuf.data == FCGI_RECORD_HEADER_SZ)