]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8861e1c)
BUG/MEDIUM: proto_htx: Fix data size update if end of the cookie is removed
authorChristopher Faulet <cfaulet@haproxy.com>
Tue, 12 Feb 2019 13:29:57 +0000 (14:29 +0100)
committerChristopher Faulet <cfaulet@haproxy.com>
Wed, 13 Feb 2019 08:56:54 +0000 (09:56 +0100)
When client-side or server-side cookies are parsed, if the end of the cookie
line is removed, the HTX message must be updated. The length of the HTX block is
decreased and the data size of the HTX message is modified accordingly. The
update of the HTX block was ok but the update of the HTX message was wrong,
leading to undefined behaviours during the data forwarding. One of possible
effect was a freeze of the connection and no data forward.

This patch must be backported in 1.9.

src/proto_htx.c patch | blob | blame | history

diff --git a/src/proto_htx.c b/src/proto_htx.c
index 9e285f216a592db8879405d202192bff38cefeea..59b7cb2738355f486cfeda3f8d438eb98355610b 100644 (file)
--- a/src/proto_htx.c
+++ b/src/proto_htx.c
@@ -4281,7 +4281,7 @@ static void htx_manage_client_side_cookies(struct stream *s, struct channel *req
                if ((hdr_end - hdr_beg) != ctx.value.len) {
                        if (hdr_beg != hdr_end) {
                                htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg);
-                               htx->data -= (hdr_end - ctx.value.ptr);
+                               htx->data -= ctx.value.len - (hdr_end - hdr_beg);
                        }
                        else
                                http_remove_header(htx, &ctx);
@@ -4460,9 +4460,9 @@ static void htx_manage_server_side_cookies(struct stream *s, struct channel *res
                                next         += stripped_before;
                                hdr_end      += stripped_before;
 
+                               htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg);
+                               htx->data -= ctx.value.len - (hdr_end - hdr_beg);
                                ctx.value.len = hdr_end - hdr_beg;
-                               htx_set_blk_value_len(ctx.blk, ctx.value.len);
-                               htx->data -= (hdr_end - ctx.value.ptr);
                        }
 
                        /* First, let's see if we want to capture this cookie. We check
Mirror of https://github.com/haproxy/haproxy.git