From b810554f8f45e4488965b5a2fbfcd2f825fa9d3d Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 24 Nov 2010 18:31:28 +0100 Subject: [PATCH] [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process Cookies in indirect mode are removed from the cookie header. Three pointers ought to be updated when appsession cookies are processed next, but were not. The result is that a memcpy() can be called with a negative value causing the process to crash. It is not sure whether this can be remotely exploited or not. (cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213) --- src/proto_http.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/proto_http.c b/src/proto_http.c index a65a923e8..5385ffc23 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -6263,6 +6263,11 @@ void manage_client_side_cookies(struct session *t, struct buffer *req) if (del_from != NULL) { int delta = del_hdr_value(req, &del_from, prev); + if (att_beg >= del_from) + att_beg += delta; + if (att_end >= del_from) + att_end += delta; + val_beg += delta; val_end += delta; next += delta; hdr_end += delta;