From: Willy Tarreau Date: Wed, 24 Nov 2010 17:31:28 +0000 (+0100) Subject: [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the... X-Git-Tag: v1.5-dev8~364 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b810554f8f45e4488965b5a2fbfcd2f825fa9d3d;p=thirdparty%2Fhaproxy.git [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process Cookies in indirect mode are removed from the cookie header. Three pointers ought to be updated when appsession cookies are processed next, but were not. The result is that a memcpy() can be called with a negative value causing the process to crash. It is not sure whether this can be remotely exploited or not. (cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213) --- diff --git a/src/proto_http.c b/src/proto_http.c index a65a923e88..5385ffc230 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -6263,6 +6263,11 @@ void manage_client_side_cookies(struct session *t, struct buffer *req) if (del_from != NULL) { int delta = del_hdr_value(req, &del_from, prev); + if (att_beg >= del_from) + att_beg += delta; + if (att_end >= del_from) + att_end += delta; + val_beg += delta; val_end += delta; next += delta; hdr_end += delta;