From: Remi Gacogne Date: Tue, 10 May 2022 20:26:21 +0000 (+0200) Subject: dnsdist: Fix a crash on a invalid protocol in DoH forwarded-for header X-Git-Tag: auth-4.8.0-alpha0~102^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcdb279ebd78ee4911baa396c0566ada01232c23;p=thirdparty%2Fpdns.git dnsdist: Fix a crash on a invalid protocol in DoH forwarded-for header (cherry picked from commit f84fbd58b150fe6b69a7af27e23502f58f68eee5) --- diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc index d74d52665f..8975dab5ad 100644 --- a/pdns/dnsdistdist/doh.cc +++ b/pdns/dnsdistdist/doh.cc @@ -697,21 +697,34 @@ static void processDOHQuery(DOHUnitUniquePtr&& du) ids->destHarvested = false; } + bool failed = false; if (du->downstream->d_config.useProxyProtocol) { - size_t payloadSize = 0; - if (addProxyProtocol(dq, &payloadSize)) { - du->proxyProtocolPayloadSize = payloadSize; + try { + size_t payloadSize = 0; + if (addProxyProtocol(dq, &payloadSize)) { + du->proxyProtocolPayloadSize = payloadSize; + } + } + catch (const std::exception& e) { + vinfolog("Adding proxy protocol payload to DoH query from %s failed: %s", ids->origDest.toStringWithPort(), e.what()); + failed = true; } } - int fd = du->downstream->pickSocketForSending(); - ids->backendFD = fd; try { - /* you can't touch du after this line, unless the call returned a non-negative value, - because it might already have been freed */ - ssize_t ret = udpClientSendRequestToBackend(du->downstream, fd, du->query); + if (!failed) { + int fd = du->downstream->pickSocketForSending(); + ids->backendFD = fd; + /* you can't touch du after this line, unless the call returned a non-negative value, + because it might already have been freed */ + ssize_t ret = udpClientSendRequestToBackend(du->downstream, fd, du->query); + + if (ret < 0) { + failed = true; + } + } - if (ret < 0) { + if (failed) { /* we are about to handle the error, make sure that this pointer is not accessed when the state is cleaned, but first check that it still belongs to us */