From: Thierry FOURNIER Date: Mon, 16 Mar 2015 10:14:41 +0000 (+0100) Subject: BUG/MAJOR: http: don't read past buffer's end in http_replace_value X-Git-Tag: v1.6-dev2~315 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=534101658d6e19aeb598bf7833a8ce167498c4ed;p=thirdparty%2Fhaproxy.git BUG/MAJOR: http: don't read past buffer's end in http_replace_value The function http_replace_value use bad variable to detect the end of the input string. Regression introduced by the patch "MEDIUM: regex: Remove null terminated strings." (c9c2daf2) We need to backport this patch int the 1.5 stable branch. WT: there is no possibility to overwrite existing data as we only read past the end of the request buffer, to copy into the trash. The copy is bounded by buffer_replace2(), just like the replacement performed by exp_replace(). However if a buffer happens to contain non-zero data up to the next unmapped page boundary, there's a theorical risk of crashing the process despite this not being reproducible in tests. The risk is low because "http-request replace-value" did not work due to this bug so that probably means it's not used yet. --- diff --git a/src/proto_http.c b/src/proto_http.c index 206ddcb6ef..bfc64b01c4 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3273,7 +3273,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha /* look for delim. */ p_delim = p; - while (p_delim < p + len && *p_delim != delim) + while (p_delim < val + len && *p_delim != delim) p_delim++; if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch, 0)) { @@ -3297,7 +3297,7 @@ static int http_replace_value(struct my_regex *re, char *dst, uint dst_size, cha return -1; /* end of the replacements. */ - if (p_delim >= p + len) + if (p_delim >= val + len) break; /* Next part. */