From 534101658d6e19aeb598bf7833a8ce167498c4ed Mon Sep 17 00:00:00 2001 From: Thierry FOURNIER Date: Mon, 16 Mar 2015 11:14:41 +0100 Subject: [PATCH] BUG/MAJOR: http: don't read past buffer's end in http_replace_value The function http_replace_value use bad variable to detect the end of the input string. Regression introduced by the patch "MEDIUM: regex: Remove null terminated strings." (c9c2daf2) We need to backport this patch int the 1.5 stable branch. WT: there is no possibility to overwrite existing data as we only read past the end of the request buffer, to copy into the trash. The copy is bounded by buffer_replace2(), just like the replacement performed by exp_replace(). However if a buffer happens to contain non-zero data up to the next unmapped page boundary, there's a theorical risk of crashing the process despite this not being reproducible in tests. The risk is low because "http-request replace-value" did not work due to this bug so that probably means it's not used yet. --- src/proto_http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index 206ddcb6e..bfc64b01c 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3273,7 +3273,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha /* look for delim. */ p_delim = p; - while (p_delim < p + len && *p_delim != delim) + while (p_delim < val + len && *p_delim != delim) p_delim++; if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch, 0)) { @@ -3297,7 +3297,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha return -1; /* end of the replacements. */ - if (p_delim >= p + len) + if (p_delim >= val + len) break; /* Next part. */