BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port

Check the return value of url2sa in smp_fetch_url_ip/port. If negative, the address result is uninitialized and the sample fetch is aborted. Also, the sockaddr is prelimiary zero'ed before calling url2sa to ensure that it is not used by upper functions even if the sample returns 0. Without the check, the value returned by the url_ip/url_port fetches is unspecified. This can be triggered with the following curl : $ curl -iv --request-target "xxx://127.0.0.1:20080/" http://127.0.0.1:20080/ This should be backported to all stable branches. However, note that between the 1.8 and 2.0, the targetted functions have been extracted from proto_http.c to http_fetch.c. This should fix in part coverity report from the github issue #1244.
2026-05-04 20:46:11 +02:00 · 2021-05-10 11:23:34 +02:00 · 2021-05-10 11:23:34 +02:00 · c89d5337ee
commit c89d5337ee
parent 46b93afdb3
1 changed files with 8 additions and 2 deletions
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@ -705,10 +705,13 @@ static int smp_fetch_url_ip(const struct arg *args, struct sample *smp, const ch
 	struct htx_sl *sl;
 	struct sockaddr_storage addr;

+	memset(&addr, 0, sizeof(addr));
+
 	if (!htx)
 		return 0;
 	sl = http_get_stline(htx);
-	url2sa(HTX_SL_REQ_UPTR(sl), HTX_SL_REQ_ULEN(sl), &addr, NULL);
+	if (url2sa(HTX_SL_REQ_UPTR(sl), HTX_SL_REQ_ULEN(sl), &addr, NULL) < 0)
+		return 0;

 	if (addr.ss_family != AF_INET)
 		return 0;
@ -726,10 +729,13 @@ static int smp_fetch_url_port(const struct arg *args, struct sample *smp, const
 	struct htx_sl *sl;
 	struct sockaddr_storage addr;

+	memset(&addr, 0, sizeof(addr));
+
 	if (!htx)
 		return 0;
 	sl = http_get_stline(htx);
-	url2sa(HTX_SL_REQ_UPTR(sl), HTX_SL_REQ_ULEN(sl), &addr, NULL);
+	if (url2sa(HTX_SL_REQ_UPTR(sl), HTX_SL_REQ_ULEN(sl), &addr, NULL) < 0)
+		return 0;

 	if (addr.ss_family != AF_INET)
 		return 0;