From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Tue, 4 Jul 2023 08:33:33 +0000 (+0200)
Subject: BUG/MINOR: http_ext: unhandled ERR_ABORT in proxy_http_parse_7239()
X-Git-Tag: v2.9-dev2~76
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5028a6e50bec80825a9e3691b4e20bea600abf0f;p=thirdparty%2Fhaproxy.git

BUG/MINOR: http_ext: unhandled ERR_ABORT in proxy_http_parse_7239()

_proxy_http_parse_7239_expr() helper used in proxy_http_parse_7239()
function may return ERR_ABORT in case of memory error. But the error check
used below is insufficient to catch ERR_ABORT so the function could keep
executing prior to returning ERR_ABORT, which may cause undefined
behavior. Hopefully no sensitive handling is performed in this case so
this bug has very limited impact, but let's fix it anyway.

We now use ERR_CODE mask instead of ERR_FATAL to check if err_code is set
to any kind of error combination that should prevent the function from
further executing.

This may be backported in 2.8 with b2bb9257d2 ("MINOR: proxy/http_ext:
introduce proxy forwarded option")
---

diff --git a/src/http_ext.c b/src/http_ext.c
index 9d70086c70..a36751931b 100644
--- a/src/http_ext.c
+++ b/src/http_ext.c
@@ -997,7 +997,7 @@ int proxy_http_parse_7239(char **args, int cur_arg,
 			fwd->p_host.mode = HTTP_7239_HOST_SMP;
 			err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
 								&fwd->p_host.expr_s);
-			if (err_code & ERR_FATAL)
+			if (err_code & ERR_CODE)
 				goto out;
 		} else if (strcmp(args[cur_arg], "by") == 0) {
 			fwd->p_by.nn_mode = HTTP_7239_FORBY_ORIG;
@@ -1006,7 +1006,7 @@ int proxy_http_parse_7239(char **args, int cur_arg,
 			fwd->p_by.nn_mode = HTTP_7239_FORBY_SMP;
 			err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
 								&fwd->p_by.nn_expr_s);
-			if (err_code & ERR_FATAL)
+			if (err_code & ERR_CODE)
 				goto out;
 		} else if (strcmp(args[cur_arg], "for") == 0) {
 			fwd->p_for.nn_mode = HTTP_7239_FORBY_ORIG;
@@ -1015,7 +1015,7 @@ int proxy_http_parse_7239(char **args, int cur_arg,
 			fwd->p_for.nn_mode = HTTP_7239_FORBY_SMP;
 			err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
 								&fwd->p_for.nn_expr_s);
-			if (err_code & ERR_FATAL)
+			if (err_code & ERR_CODE)
 				goto out;
 		} else if (strcmp(args[cur_arg], "by_port") == 0) {
 			fwd->p_by.np_mode = HTTP_7239_FORBY_ORIG;
@@ -1024,7 +1024,7 @@ int proxy_http_parse_7239(char **args, int cur_arg,
 			fwd->p_by.np_mode = HTTP_7239_FORBY_SMP;
 			err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
 								&fwd->p_by.np_expr_s);
-			if (err_code & ERR_FATAL)
+			if (err_code & ERR_CODE)
 				goto out;
 		} else if (strcmp(args[cur_arg], "for_port") == 0) {
 			fwd->p_for.np_mode = HTTP_7239_FORBY_ORIG;
@@ -1033,7 +1033,7 @@ int proxy_http_parse_7239(char **args, int cur_arg,
 			fwd->p_for.np_mode = HTTP_7239_FORBY_SMP;
 			err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
 								&fwd->p_for.np_expr_s);
-			if (err_code & ERR_FATAL)
+			if (err_code & ERR_CODE)
 				goto out;
 		} else {
 			/* unknown suboption - catchall */