|
|
- From 8e05ac2044c6523c867ceaaae1f10486370eec89 Mon Sep 17 00:00:00 2001
- From: Thierry FOURNIER <tfournier@haproxy.com>
- Date: Mon, 16 Mar 2015 11:14:41 +0100
- Subject: [PATCH 6/9] BUG/MAJOR: http: don't read past buffer's end in
- http_replace_value
-
- The function http_replace_value use bad variable to detect the end
- of the input string.
-
- Regression introduced by the patch "MEDIUM: regex: Remove null
- terminated strings." (c9c2daf2)
-
- We need to backport this patch int the 1.5 stable branch.
-
- WT: there is no possibility to overwrite existing data as we only read
- past the end of the request buffer, to copy into the trash. The copy
- is bounded by buffer_replace2(), just like the replacement performed
- by exp_replace(). However if a buffer happens to contain non-zero data
- up to the next unmapped page boundary, there's a theorical risk of
- crashing the process despite this not being reproducible in tests.
- The risk is low because "http-request replace-value" did not work due
- to this bug so that probably means it's not used yet.
- (cherry picked from commit 534101658d6e19aeb598bf7833a8ce167498c4ed)
- ---
- src/proto_http.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
- diff --git a/src/proto_http.c b/src/proto_http.c
- index 705f3b4..f53b5e2 100644
- --- a/src/proto_http.c
- +++ b/src/proto_http.c
- @@ -3206,7 +3206,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha
-
- /* look for delim. */
- p_delim = p;
- - while (p_delim < p + len && *p_delim != delim)
- + while (p_delim < val + len && *p_delim != delim)
- p_delim++;
-
- if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch)) {
- @@ -3230,7 +3230,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha
- return -1;
-
- /* end of the replacements. */
- - if (p_delim >= p + len)
- + if (p_delim >= val + len)
- break;
-
- /* Next part. */
- --
- 2.0.5
-
|
