From: Youfu Zhang <zhangyoufu@gmail.com>
Date: Fri, 9 Dec 2022 11:15:48 +0000 (+0800)
Subject: BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
X-Git-Tag: v2.8-dev1~149
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e6bf0a2722866ae0128a4392fa2375bd1f03ff8;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: fcgi: Fix uninitialized reserved bytes

The output buffer is not zero-initialized. If we don't clear reserved
bytes, fcgi requests sent to backend will leak sensitive data.

This patch must be backported as far as 2.2.
---

diff --git a/src/fcgi.c b/src/fcgi.c
index dcf2db2196..1d1a82b4c6 100644
--- a/src/fcgi.c
+++ b/src/fcgi.c
@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
 	out->area[len++] = ((h->len >> 8) & 0xff);
 	out->area[len++] = (h->len & 0xff);
 	out->area[len++] = h->padding;
-	len++; /* rsv */
+	out->area[len++] = 0; /* rsv */
 
 	out->data = len;
 	return 1;
@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
 	out->area[len++] = ((r->role >> 8) & 0xff);
 	out->area[len++] = (r->role & 0xff);
 	out->area[len++] = r->flags;
-	len += 5; /* rsv */
+	out->area[len++] = 0; /* rsv */
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
 
 	out->data = len;
 	return 1;