mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-03-14 19:41:33 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: fcgi: Fix param decoding by properly checking its size

Browse Source 
In functions used to decode a FCGI parameter, the test on the data length
before reading the parameter's name and value did not consider the offset
value used to skip already parsed data. So it was possible to read more data
than available (OOB read). To do so, a malicious FCGI server must send a
forged GET_VALUES_RESULT record containing a parameter with wrong name/value
length.

Thank you to Kamil Frankowicz for having reported this.

This patch must be backported to all stable versions.
This commit is contained in:
Christopher Faulet 2026-03-04 14:53:04 +01:00
parent 306931dfb1
commit 96286b2a84
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/fcgi.c
View File

@ -198,7 +198,7 @@ size_t fcgi_decode_param(const struct buffer *in, size_t o, struct fcgi_param *p
len += 4;
}
if (data < nlen + vlen)
if (data < o + nlen + vlen)
return 0;
p->n = ist2(b_peek(in, o), nlen);
@ -253,7 +253,7 @@ size_t fcgi_aligned_decode_param(const struct buffer *in, size_t o, struct fcgi_
len += 4;
}
if (data < nlen + vlen)
if (data < o + nlen + vlen)
return 0;
p->n = ist2(in->area + o, nlen);