From a0df95747184899b289c363d1743e80e93c233d1 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 25 Feb 2019 11:15:08 +0100 Subject: [PATCH] BUG/MAJOR: cache/htx: Set the start-line offset when a cached object is served When the function htx_add_stline() is used, this offset is automatically set when necessary. But the HTX cache applet adds all header blocks of the responses manually, including the start-line. So its offset must be explicitly set by the applet. When everything goes well, the HTTP analyzer http_wait_for_response() looks for the start-line in the HTX messages, calling http_find_stline(). If necessary, the start-line offet will also be automatically set during this stage. So the bug of the HTX cache applet does not hurt most of the time. But, when an error occurred, HTTP responses analyzers can be bypassed. In such caese, the start-line offset of cached responses remains unset. Some part of the code relies on the start-line offset to process the HTX messages. Among others, when H2 responses are sent to clients, the H2 multiplexer read the start-line without any check, because it _MUST_ always be there. if its offset is not set, a NULL pointer is dereferenced leading to a segfault. The patch must be backported to 1.9. --- src/cache.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/cache.c b/src/cache.c index 698395f15..074c43bc4 100644 --- a/src/cache.c +++ b/src/cache.c @@ -913,6 +913,10 @@ static size_t htx_cache_dump_headers(struct appctx *appctx, struct htx *htx) if (!blk) return 0; + /* Set the start-line offset */ + if (type == HTX_BLK_RES_SL) + htx->sl_off = blk->addr; + /* Copy info and data */ blk->info = info; memcpy(htx_get_blk_ptr(htx, blk), b_peek(tmp, offset+4), sz);