mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 15:17:01 +02:00
When using the listener socket as file descriptor, qc->fd value is -1. In this case one must not access fdtab[qc->fd] element to change its value. This bug could have been detected by asan with such a backtrace: ================================================================= ==402222==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa8ecf417ex7fa8e915cf90 sp 0x7fa8e915cf88 WRITE of size 8 at 0x7fa8ecf417e8 thread T6 #0 0x55707a0bf18a in qc_new_cc_conn src/quic_conn.c:838 #1 0x55707a0c6dc0 in quic_conn_release src/quic_conn.c:1408 #2 0x55707a10916f in quic_close src/xprt_quic.c:35 #3 0x55707a0cec77 in conn_xprt_close include/haproxy/connection.h:153 #4 0x55707a0ceed0 in conn_full_close include/haproxy/connection.h:197 #5 0x55707a0ec253 in qcc_release src/mux_quic.c:2412 #6 0x55707a0ec7d0 in qcc_io_cb src/mux_quic.c:2443 #7 0x55707a63ff2a in run_tasks_from_lists src/task.c:596 #8 0x55707a641cc9 in process_runnable_tasks src/task.c:876 #9 0x55707a56f7b2 in run_poll_loop src/haproxy.c:2954 #10 0x55707a5705fd in run_thread_poll_loop src/haproxy.c:3153 #11 0x7fa8f9450ea6 in start_thread nptl/pthread_create.c:477 #12 0x7fa8f936ea2e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfba2e) 0x7fa8ecf417e8 is located 24 bytes to the left of 134217728-byte region [0x7fa8e allocated by thread T0 here: #0 0x7fa8f9a37037 in __interceptor_calloc ../../../../src/libsanitizer/asan/ #1 0x55707a71a61d in init_pollers src/fd.c:1161 #2 0x55707a56cdf1 in init src/haproxy.c:2672 #3 0x55707a5714c2 in main src/haproxy.c:3298 #4 0x7fa8f9296d09 in __libc_start_main ../csu/libc-start.c:308 Thread T6 created by T0 here: #0 0x7fa8f99e22a2 in __interceptor_pthread_create ../../../../src/libsanitizpp:214 #1 0x55707a748a21 in setup_extra_threads src/thread.c:252 #2 0x55707a5735c9 in main src/haproxy.c:3844 #3 0x7fa8f9296d09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow src/quic_conn.c:838 in qc_new_cc Shadow bytes around the buggy address: 0x0ff59d9e02a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff59d9e02b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff59d9e02c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff59d9e02d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff59d9e02e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff59d9e02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa 0x0ff59d9e0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff59d9e0310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff59d9e0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff59d9e0330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff59d9e0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==402222==ABORTING Aborted Thank you to @Tristan971 for having reported this bug in GH #2247. No need to backport. |
||
---|---|---|
.github | ||
addons | ||
admin | ||
dev | ||
doc | ||
examples | ||
include | ||
reg-tests | ||
scripts | ||
src | ||
tests | ||
.cirrus.yml | ||
.gitattributes | ||
.gitignore | ||
.mailmap | ||
.travis.yml | ||
BRANCHES | ||
BSDmakefile | ||
CHANGELOG | ||
CONTRIBUTING | ||
INSTALL | ||
LICENSE | ||
MAINTAINERS | ||
Makefile | ||
README | ||
SUBVERS | ||
VERDATE | ||
VERSION |
The HAProxy documentation has been split into a number of different files for ease of use. Please refer to the following files depending on what you're looking for : - INSTALL for instructions on how to build and install HAProxy - BRANCHES to understand the project's life cycle and what version to use - LICENSE for the project's license - CONTRIBUTING for the process to follow to submit contributions The more detailed documentation is located into the doc/ directory : - doc/intro.txt for a quick introduction on HAProxy - doc/configuration.txt for the configuration's reference manual - doc/lua.txt for the Lua's reference manual - doc/SPOE.txt for how to use the SPOE engine - doc/network-namespaces.txt for how to use network namespaces under Linux - doc/management.txt for the management guide - doc/regression-testing.txt for how to use the regression testing suite - doc/peers.txt for the peers protocol reference - doc/coding-style.txt for how to adopt HAProxy's coding style - doc/internals for developer-specific documentation (not all up to date)