From: Christopher Faulet Date: Mon, 11 Sep 2023 16:57:39 +0000 (+0200) Subject: BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records X-Git-Tag: v2.9-dev6~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=665703d4565181553bb7285929043c94d3490bf7;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records trahs chunks are buffers but not allocated from the buffers pool. And the "trash" chunk is static and thread-local. It is two reason to not swap it with a regular buffer allocated from the buffers pool. Unfortunatly, it is exactly what is performed in the FCGI mux when a STDERR record is handled. b_xfer() is used to copy data from the demux buffer to the trash to format the error message. A zeor-copy via a swap may be performed. In this case, this leads to a memory corruption and a crash because, some time later, the demux buffer is released because it is empty. And it is in fact the trash chunk. b_force_xfer() must be used instead. This function forces the copy. This patch must be backported as far as 2.2. For 2.4 and 2.2, b_force_xfer() does not exist. For these versions, the following commit must be backported too: * c7860007cc ("MINOR: buf: Add b_force_xfer() function") --- diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c index ec2cb60dcf..8a4e6c2a8f 100644 --- a/src/mux_fcgi.c +++ b/src/mux_fcgi.c @@ -2363,7 +2363,7 @@ static int fcgi_strm_handle_stderr(struct fcgi_conn *fconn, struct fcgi_strm *fs goto fail; // incomplete record chunk_reset(&trash); - ret = b_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl)); + ret = b_force_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl)); if (!ret) goto fail; fconn->drl -= ret;