From: Christopher Faulet Date: Thu, 7 Feb 2019 15:13:26 +0000 (+0100) Subject: BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck X-Git-Tag: v2.0-dev1~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11389018bc92bf7b94533e682af5cb4bbf0e43d9;p=thirdparty%2Fhaproxy.git BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck During SPOP healthchecks, a dummy appctx is used to create the HAPROXY-HELLO frame and then to parse the AGENT-HELLO frame. No agent are attached to it. So it is important to not rely on an agent during these stages. When HAPROXY-HELLO frame is created, there is no problem, all accesses to an agent are guarded. This is not true during the parsing of the AGENT-HELLO frame. Thus, it is possible to crash HAProxy with a SPOA declaring the async or the pipelining capability during a healthcheck. This patch must be backported to 1.9 and 1.8. --- diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 0f7a21ae3a..1a1194fa68 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -825,10 +825,14 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size) SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_NO_FRAME_SIZE; return -1; } - if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) - flags &= ~SPOE_APPCTX_FL_PIPELINING; - if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) - flags &= ~SPOE_APPCTX_FL_ASYNC; + if (!agent) + flags &= ~(SPOE_APPCTX_FL_PIPELINING|SPOE_APPCTX_FL_ASYNC); + else { + if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) + flags &= ~SPOE_APPCTX_FL_PIPELINING; + if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) + flags &= ~SPOE_APPCTX_FL_ASYNC; + } SPOE_APPCTX(appctx)->version = (unsigned int)vsn; SPOE_APPCTX(appctx)->max_frame_size = (unsigned int)max_frame_size;