BUG/MEDIUM: chunk: fix typo allocating small trash with bufsize_large

A copy-paste error in alloc_trash_buffers_per_thread() passes
global.tune.bufsize_large to alloc_small_trash_buffers() instead of
global.tune.bufsize_small. This sets small_trash_size = bufsize_large.

When tune.bufsize.large is configured, get_larger_trash_chunk() then
incorrectly matches a large buffer against small_trash_size at line
169 and "grows" it to a regular (smaller) buffer. b_xfer() at line
179 attempts to copy the large buffer's contents into the smaller one:

  - Default builds (DEBUG_STRICT=1): BUG_ON in __b_putblk() aborts
    the process -> remote DoS
  - DEBUG_STRICT=0 builds: BUG_ON becomes ASSUME() and the compiler
    elides the check -> heap overflow with attacker-controlled bytes

Reachable via the json converter (sample.c:2862) when escaping
~bufsize_large/6 control characters in attacker-supplied data such
as a request header or body.

Introduced in commit 92a24a4e875b ("MEDIUM: chunk: Add support for
small chunks"). No backport needed.

diff --git a/src/chunk.c b/src/chunk.c
index 639c7315733c0ed39d76dbc4a01b2550033621d2..e6d9a44a799ba97d8d727e02a3285e44f2dcd861 100644 (file)
--- a/src/chunk.c
+++ b/src/chunk.c
@@ -233,7 +233,7 @@ static int alloc_trash_buffers_per_thread()
 {
        return (alloc_trash_buffers(global.tune.bufsize) &&
                alloc_large_trash_buffers(global.tune.bufsize_large) &&
-               alloc_small_trash_buffers(global.tune.bufsize_large));
+               alloc_small_trash_buffers(global.tune.bufsize_small));
 }
 
 static void free_trash_buffers_per_thread()