commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6 Author: Willy Tarreau Date: Sun Oct 28 20:13:12 2018 +0100 BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer When the "path" sample fetch function is called without any path, the function doesn't check that the request buffer is allocated. While this doesn't happen with the request during processing, it can definitely happen when mistakenly trying to reference a path from the response since the request channel is not allocated anymore. It's certain that this bug was emphasized by the buffer changes that went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't seem 100% safe either so it's possible that older version are affected as well. Thanks to PiBa-NL for reporting this bug with a reproducer. (cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6) [wt: minor adaptation to older buffer API. There are some call places which don't look structurally safe though in their context the buffer always ought to be there] Signed-off-by: Willy Tarreau diff --git a/src/proto_http.c b/src/proto_http.c index a48c4fdb..fb18357b 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn) { char *ptr, *end; + if (!txn->req.chn->buf->size) + return NULL; + ptr = txn->req.chn->buf->p + txn->req.sl.rq.u; end = ptr + txn->req.sl.rq.u_l;