LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4151 Commits
1 Branch
46 MiB
Tree: 25eeddbb21
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '25eeddbb21'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0015-BUG-MAJOR-http-don-t-c...

49 lines
2.1 KiB
Raw Normal View History

haproxy: fixes from upstream - [PATCH 14/16] BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - [PATCH 15/16] BUG/MAJOR: http: don't call http_send_name_header() - [PATCH 16/16] BUG/MINOR: tools: make str2sa_range() report Signed-off-by: heil <heil@terminal-consulting.de>
9 years ago
 
  1. From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
  2. From: Willy Tarreau <w@1wt.eu>
  3. Date: Mon, 7 Sep 2015 19:32:33 +0200
  4. Subject: [PATCH 15/16] BUG/MAJOR: http: don't call http_send_name_header()
  5.  after an error
  6. 

  7. A crash was reported when using the "famous" http-send-name-header
  8. directive. This time it's a bit tricky, it requires a certain number of
  9. conditions to be met including maxconn on a server, queuing, timeout in
  10. the queue and cookie-based persistence.
  11. 

  12. The problem is that in stream.c, before calling http_send_name_header(),
  13. we check a number of conditions to know if we have to replace the header
  14. name. But prior to reaching this place, it's possible for
  15. sess_update_stream_int() to fail and change the stream-int's state to
  16. SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
  17. http_send_name_header() can only be called with valid buffer contents
  18. matching the http_msg's description. So when it rewinds the stream to
  19. modify the header, buf->o becomes negative by the size of the incoming
  20. request and is used as the argument to memmove() which basically
  21. displaces 4GB of memory off a few bytes to write the new name, resulting
  22. in a core and a core file that's really not fun to play with.
  23. 

  24. The solution obviously consists in refraining from calling this nasty
  25. function when the stream interface is already closed.
  26. 

  27. This bug also affects 1.5 and possibly 1.4, so the fix must be backported
  28. there.
  29. (cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
  30. ---

  31.  src/session.c | 2 +-
  32.  1 file changed, 1 insertion(+), 1 deletion(-)
  33. 

  34. diff --git a/src/session.c b/src/session.c

  35. index 6d62e36..7520a85 100644

  36. --- a/src/session.c

  37. +++ b/src/session.c

  38. @@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)

  39.  
  40.  			/* Now we can add the server name to a header (if requested) */
  41.  			/* check for HTTP mode and proxy server_name_hdr_name != NULL */
  42. -			if ((s->si[1].state >= SI_ST_CON) &&

  43. +			if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&

  44.  			    (s->be->server_id_hdr_name != NULL) &&
  45.  			    (s->be->mode == PR_MODE_HTTP) &&
  46.  			    objt_server(s->target)) {
  47. -- 

  48. 2.4.6
  49.