From: Christopher Faulet Date: Mon, 18 Mar 2024 07:02:32 +0000 (+0100) Subject: BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small X-Git-Tag: v3.0-dev6~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb89e4f3e0595abdd38694b01209d6a69787f8cf;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small Frames with a too small size must be detected on receive and an error must be triggered. It is especially important for frames of size 0. Otherwise, because the frame length is used as return value, the frame is ignored (0 is the return value to state the frame must be ignored). It is an issue because in this case, outgoing data, the 4 bytes representing the frame size, are never consumed. If the agent also closes the connection, this leads to a wakeup loop because outgoing data are stuck and a shutdown is pending. In addition, all pending outgoing data are systematcially skipped when the applet is in SPOE_APPCTX_ST_END state. The patch should fix the issue #2490. It must be backported to all stable versions. --- diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 0c06bed774..f646581efd 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -1165,6 +1165,10 @@ spoe_recv_frame(struct appctx *appctx, char *buf, size_t framesz) ret = co_getblk(sc_oc(sc), (char *)&netint, 4, 0); if (ret > 0) { framesz = ntohl(netint); + if (framesz < 7) { + SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_INVALID; + return -1; + } if (framesz > SPOE_APPCTX(appctx)->max_frame_size) { SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_TOO_BIG; return -1; @@ -1998,6 +2002,7 @@ spoe_handle_appctx(struct appctx *appctx) __fallthrough; case SPOE_APPCTX_ST_END: + co_skip(sc_oc(sc), co_data(sc_oc(sc))); return; } out: