mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

BUG/CRITICAL: hpack: fix improper sign check on the header index value

Browse Source 
Tim Dsterhus found using afl-fuzz that some parts of the HPACK decoder
use incorrect bounds checking which do not catch negative values after
a type cast. The first culprit is hpack_valid_idx() which takes a signed
int and is fed with an unsigned one, but a few others are affected as
well due to being designed to work with an uint16_t as in the table
header, thus not being able to detect the high offset bits, though they
are not exposed if hpack_valid_idx() is fixed.

The impact is that the HPACK decoder can be crashed by an out-of-bounds
read. The only work-around without this patch is to disable H2 in the
configuration.

CVE-2018-14645 was assigned to this bug.

This patch addresses all of these issues at once. It must be backported
to 1.8.
This commit is contained in:
Willy Tarreau 2018-09-17 14:07:33 +02:00
parent f7db9305aa
commit 7f2a44d319
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/common/hpack-tbl.h
View File

@ -155,7 +155,7 @@ static inline const struct hpack_dte *hpack_get_dte(const struct hpack_dht *dht,
} }
/* returns non-zero if <idx> is valid for table <dht> */ /* returns non-zero if <idx> is valid for table <dht> */
static inline int hpack_valid_idx(const struct hpack_dht *dht, uint16_t idx) static inline int hpack_valid_idx(const struct hpack_dht *dht, uint32_t idx)
{ {
return idx < dht->used + HPACK_SHT_SIZE; return idx < dht->used + HPACK_SHT_SIZE;
} }
@ -181,7 +181,7 @@ static inline struct ist hpack_get_value(const struct hpack_dht *dht, const stru
} }
/* takes an idx, returns the associated name */ /* takes an idx, returns the associated name */
static inline struct ist hpack_idx_to_name(const struct hpack_dht *dht, int idx) static inline struct ist hpack_idx_to_name(const struct hpack_dht *dht, uint32_t idx)
{ {
const struct hpack_dte *dte; const struct hpack_dte *dte;
@ -196,7 +196,7 @@ static inline struct ist hpack_idx_to_name(const struct hpack_dht *dht, int idx)
} }
/* takes an idx, returns the associated value */ /* takes an idx, returns the associated value */
static inline struct ist hpack_idx_to_value(const struct hpack_dht *dht, int idx) static inline struct ist hpack_idx_to_value(const struct hpack_dht *dht, uint32_t idx)
{ {
const struct hpack_dte *dte; const struct hpack_dte *dte;

2
src/hpack-dec.c
View File

@ -114,7 +114,7 @@ static inline int hpack_idx_to_phdr(uint32_t idx)
* allocated there. In case of allocation failure, returns a string whose * allocated there. In case of allocation failure, returns a string whose
* pointer is NULL. * pointer is NULL.
*/ */
static inline struct ist hpack_alloc_string(struct buffer *store, int idx, static inline struct ist hpack_alloc_string(struct buffer *store, uint32_t idx,
struct ist in) struct ist in)
{ {
struct ist out; struct ist out;

2
src/hpack-tbl.c
View File

@ -113,7 +113,7 @@ static inline unsigned int hpack_dht_get_tail(const struct hpack_dht *dht)
/* dump the whole dynamic header table */ /* dump the whole dynamic header table */
static void hpack_dht_dump(FILE *out, const struct hpack_dht *dht) static void hpack_dht_dump(FILE *out, const struct hpack_dht *dht)
{ {
int i; unsigned int i;
unsigned int slot; unsigned int slot;
char name[4096], value[4096]; char name[4096], value[4096];