From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 5 Oct 2017 08:03:12 +0000 (+0200)
Subject: BUG/MEDIUM: http: Return an error when url_dec sample converter failed
X-Git-Tag: v1.8-dev3~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a258479e3fe17fc525d3c82b23e26e311453fd56;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: http: Return an error when url_dec sample converter failed

url_dec sample converter uses url_decode function to decode an URL. This
function fails by returning -1 when an invalid character is found. But the
sample converter never checked the return value and it used it as length for the
decoded string. Because it always succeeded, the invalid sample (with a string
length set to -1) could be used by other sample fetches or sample converters,
leading to undefined behavior like segfault.

The fix is pretty simple, url_dec sample converter just needs to return an error
when url_decode fails.

This patch must be backported in 1.7 and 1.6.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index fb5c0858e2..e6107ee233 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -12414,7 +12414,7 @@ static int sample_conv_url_dec(const struct arg *args, struct sample *smp, void
 	/* Add final \0 required by url_decode(), and convert the input string. */
 	smp->data.u.str.str[smp->data.u.str.len] = '\0';
 	smp->data.u.str.len = url_decode(smp->data.u.str.str);
-	return 1;
+	return (smp->data.u.str.len >= 0);
 }
 
 static int smp_conv_req_capture(const struct arg *args, struct sample *smp, void *private)