BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small

Frames with a too small size must be detected on receive and an error must
be triggered. It is especially important for frames of size 0. Otherwise,
because the frame length is used as return value, the frame is ignored (0 is
the return value to state the frame must be ignored). It is an issue because
in this case, outgoing data, the 4 bytes representing the frame size, are
never consumed. If the agent also closes the connection, this leads to a
wakeup loop because outgoing data are stuck and a shutdown is pending.

In addition, all pending outgoing data are systematcially skipped when the
applet is in SPOE_APPCTX_ST_END state.

The patch should fix the issue #2490. It must be backported to all stable
versions.

diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 0c06bed774e3d3303449b5c11fc34ac8b731111c..f646581efd7dde92c9e4e84421f003dfa8a8580c 100644 (file)
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -1165,6 +1165,10 @@ spoe_recv_frame(struct appctx *appctx, char *buf, size_t framesz)
        ret = co_getblk(sc_oc(sc), (char *)&netint, 4, 0);
        if (ret > 0) {
                framesz = ntohl(netint);
+               if (framesz < 7)  {
+                       SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_INVALID;
+                       return -1;
+               }
                if (framesz > SPOE_APPCTX(appctx)->max_frame_size) {
                        SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_TOO_BIG;
                        return -1;
@@ -1998,6 +2002,7 @@ spoe_handle_appctx(struct appctx *appctx)
                        __fallthrough;
 
                case SPOE_APPCTX_ST_END:
+                       co_skip(sc_oc(sc), co_data(sc_oc(sc)));
                        return;
        }
   out: