|
|
- commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6
- Author: Willy Tarreau <w@1wt.eu>
- Date: Sun Oct 28 20:13:12 2018 +0100
-
- BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
-
- When the "path" sample fetch function is called without any path, the
- function doesn't check that the request buffer is allocated. While this
- doesn't happen with the request during processing, it can definitely
- happen when mistakenly trying to reference a path from the response
- since the request channel is not allocated anymore.
-
- It's certain that this bug was emphasized by the buffer changes that
- went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
- seem 100% safe either so it's possible that older version are affected
- as well.
-
- Thanks to PiBa-NL for reporting this bug with a reproducer.
-
- (cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6)
- [wt: minor adaptation to older buffer API. There are some call places
- which don't look structurally safe though in their context the
- buffer always ought to be there]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
- diff --git a/src/proto_http.c b/src/proto_http.c
- index a48c4fdb..fb18357b 100644
- --- a/src/proto_http.c
- +++ b/src/proto_http.c
- @@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn)
- {
- char *ptr, *end;
-
- + if (!txn->req.chn->buf->size)
- + return NULL;
- +
- ptr = txn->req.chn->buf->p + txn->req.sl.rq.u;
- end = ptr + txn->req.sl.rq.u_l;
-
|
