From 8e05ac2044c6523c867ceaaae1f10486370eec89 Mon Sep 17 00:00:00 2001 From: Thierry FOURNIER Date: Mon, 16 Mar 2015 11:14:41 +0100 Subject: [PATCH 6/9] BUG/MAJOR: http: don't read past buffer's end in http_replace_value The function http_replace_value use bad variable to detect the end of the input string. Regression introduced by the patch "MEDIUM: regex: Remove null terminated strings." (c9c2daf2) We need to backport this patch int the 1.5 stable branch. WT: there is no possibility to overwrite existing data as we only read past the end of the request buffer, to copy into the trash. The copy is bounded by buffer_replace2(), just like the replacement performed by exp_replace(). However if a buffer happens to contain non-zero data up to the next unmapped page boundary, there's a theorical risk of crashing the process despite this not being reproducible in tests. The risk is low because "http-request replace-value" did not work due to this bug so that probably means it's not used yet. (cherry picked from commit 534101658d6e19aeb598bf7833a8ce167498c4ed) --- src/proto_http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index 705f3b4..f53b5e2 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3206,7 +3206,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha /* look for delim. */ p_delim = p; - while (p_delim < p + len && *p_delim != delim) + while (p_delim < val + len && *p_delim != delim) p_delim++; if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch)) { @@ -3230,7 +3230,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha return -1; /* end of the replacements. */ - if (p_delim >= p + len) + if (p_delim >= val + len) break; /* Next part. */ -- 2.0.5