]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 81c6f76)
MINOR: connection: use the srv pointer for the srv conn hash
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 22 Jan 2021 15:47:46 +0000 (16:47 +0100)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Fri, 12 Feb 2021 11:33:05 +0000 (12:33 +0100)
The pointer of the target server is used as a first parameter for the
server connection hash calcul. This prevents the hash to be null when no
specific parameters are present, and can serve as a simple defense
against an attacker trying to reuse a non-conform connection.

include/haproxy/connection-t.h patch | blob | blame | history
src/backend.c patch | blob | blame | history
src/connection.c patch | blob | blame | history

diff --git a/include/haproxy/connection-t.h b/include/haproxy/connection-t.h
index dd52bd3a7eeac2092c9462ae7944271dfe20bbdd..a8239b43fe0c2faa57d1f9b6a7c8e75385fdb125 100644 (file)
--- a/include/haproxy/connection-t.h
+++ b/include/haproxy/connection-t.h
@@ -487,6 +487,7 @@ enum conn_hash_params_t {
  * connection hash.
  */
 struct conn_hash_params {
+       struct server *srv;
 };
 
 /* This structure describes a connection with its methods and data.
diff --git a/src/backend.c b/src/backend.c
index 4b2c9f8272fb82cc9573ddf2dbab599acc049cec..4879940ba2cbe077b71649505578fd9d995238c8 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1251,15 +1251,18 @@ int connect_server(struct stream *s)
 
        /* first, set unique connection parameters and then calculate hash */
        memset(&hash_params, 0, sizeof(hash_params));
-       hash = conn_calculate_hash(&hash_params);
+
+       srv = objt_server(s->target);
+       hash_params.srv = srv;
+
+       if (srv)
+               hash = conn_calculate_hash(&hash_params);
 
        /* This will catch some corner cases such as lying connections resulting from
         * retries or connect timeouts but will rarely trigger.
         */
        si_release_endpoint(&s->si[1]);
 
-       srv = objt_server(s->target);
-
        /* do not reuse if mode is http or if avail list is not allocated */
        if ((s->be->mode != PR_MODE_HTTP) || (srv && !srv->available_conns_tree))
                goto skip_reuse;
diff --git a/src/connection.c b/src/connection.c
index f5dbffbc1928ec0b478ac3d849d1c68416efd739..3656b36366f08c735a7d588ae6c220efee5599f6 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -1421,6 +1421,8 @@ XXH64_hash_t conn_calculate_hash(const struct conn_hash_params *params)
 
        buf = trash.area;
 
+       conn_hash_update(buf, &idx, &params->srv, sizeof(params->srv), &hash_flags, 0);
+
        hash = conn_hash_digest(buf, idx, hash_flags);
        return hash;
 }
Mirror of https://github.com/haproxy/haproxy.git