You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 lines
1.5 KiB
39 lines
1.5 KiB
commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6
|
|
Author: Willy Tarreau <w@1wt.eu>
|
|
Date: Sun Oct 28 20:13:12 2018 +0100
|
|
|
|
BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
|
|
|
|
When the "path" sample fetch function is called without any path, the
|
|
function doesn't check that the request buffer is allocated. While this
|
|
doesn't happen with the request during processing, it can definitely
|
|
happen when mistakenly trying to reference a path from the response
|
|
since the request channel is not allocated anymore.
|
|
|
|
It's certain that this bug was emphasized by the buffer changes that
|
|
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
|
|
seem 100% safe either so it's possible that older version are affected
|
|
as well.
|
|
|
|
Thanks to PiBa-NL for reporting this bug with a reproducer.
|
|
|
|
(cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6)
|
|
[wt: minor adaptation to older buffer API. There are some call places
|
|
which don't look structurally safe though in their context the
|
|
buffer always ought to be there]
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
|
|
diff --git a/src/proto_http.c b/src/proto_http.c
|
|
index a48c4fdb..fb18357b 100644
|
|
--- a/src/proto_http.c
|
|
+++ b/src/proto_http.c
|
|
@@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn)
|
|
{
|
|
char *ptr, *end;
|
|
|
|
+ if (!txn->req.chn->buf->size)
|
|
+ return NULL;
|
|
+
|
|
ptr = txn->req.chn->buf->p + txn->req.sl.rq.u;
|
|
end = ptr + txn->req.sl.rq.u_l;
|
|
|