mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 07:07:04 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer

Browse Source 
When the "path" sample fetch function is called without any path, the
function doesn't check that the request buffer is allocated. While this
doesn't happen with the request during processing, it can definitely
happen when mistakenly trying to reference a path from the response
since the request channel is not allocated anymore.

It's certain that this bug was emphasized by the buffer changes that
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
seem 100% safe either so it's possible that older version are affected
as well.

Thanks to PiBa-NL for reporting this bug with a reproducer.
This commit is contained in:
Willy Tarreau 2018-10-28 20:13:12 +01:00
parent 8e9f4531cb
commit 9d9ccdbf8b
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/proto_http.c
View File

@ -440,6 +440,9 @@ char *http_txn_get_path(const struct http_txn *txn)
{
struct ist ret;
if (!txn->req.chn->buf.size)
return NULL;
ret = http_get_path(ist2(ci_head(txn->req.chn) + txn->req.sl.rq.u, txn->req.sl.rq.u_l));
return ret.ptr;