mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-15 16:01:02 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies

Browse Source 
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
header is found then the while(1) loop in
http_manage_server_side_cookies() will never terminate, resulting in
the watchdog firing and the process terminating via SIGABRT.

The while(1) loop becomes unbounded because an unmatched call to
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
calls to check for "Set-Cookie2" will now enumerate from the beginning
of all the blocks and will once again match on subsequent
passes (assuming a match first time around), hence the loop becoming
unbounded.

This issue was introduced with HTX and this fix should be backported
to all versions supporting HTX.

Many thanks to Grant Spence (gspence@redhat.com) for working through
this issue with me.
This commit is contained in:
Andrew McDermott 2022-02-11 18:26:49 +00:00 committed by Willy Tarreau
parent 1d5fdc526b
commit bfb15ab34e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/http_ana.c
View File

@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
while (1) { while (1) {
int is_first = 1; int is_first = 1;
if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
break; break;
is_cookie2 = 1; is_cookie2 = 1;