From 69ad4b997701b08e9de48fce4dc4ceeb7d80cb32 Mon Sep 17 00:00:00 2001 From: Nenad Merdanovic Date: Tue, 29 Mar 2016 13:14:30 +0200 Subject: [PATCH] BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY headers. This fix needs to be backported to 1.5 and 1.6. Signed-off-by: Nenad Merdanovic --- src/proto_http.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index b7654a67a..7abe4931e 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -8537,10 +8537,13 @@ unsigned int http_get_fhdr(const struct http_msg *msg, const char *hname, int hl } if (-occ > found) return 0; + /* OK now we have the last occurrence in [hist_ptr-1], and we need to - * find occurrence -occ, so we have to check [hist_ptr+occ]. + * find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have + * -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ] + * to remain in the 0..9 range. */ - hist_ptr += occ; + hist_ptr += occ + MAX_HDR_HISTORY; if (hist_ptr >= MAX_HDR_HISTORY) hist_ptr -= MAX_HDR_HISTORY; *vptr = ptr_hist[hist_ptr];