From: Willy Tarreau Date: Fri, 1 May 2015 22:05:47 +0000 (+0200) Subject: BUG/MAJOR: http: prevent risk of reading past end with balance url_param X-Git-Tag: v1.6-dev2~146 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f69d4ff0063723442ba62af7ca582b1db163bd31;p=thirdparty%2Fhaproxy.git BUG/MAJOR: http: prevent risk of reading past end with balance url_param The get_server_ph_post() function assumes that the buffer is contiguous. While this is true for all the header part, it is not necessarily true for the end of data the fit in the reserve. In this case there's a risk to read past the end of the buffer for a few hundred bytes, and possibly to crash the process if what follows is not mapped. The fix consists in truncating the analyzed length to the length of the contiguous block that follows the headers. A config workaround for this bug would be to disable balance url_param. This fix must be backported to 1.5. It seems 1.4 did have the check. --- diff --git a/src/backend.c b/src/backend.c index 75792bde0d..17a55d6685 100644 --- a/src/backend.c +++ b/src/backend.c @@ -313,6 +313,9 @@ struct server *get_server_ph_post(struct stream *s) if (len == 0) return NULL; + if (len > req->buf->data + req->buf->size - p) + len = req->buf->data + req->buf->size - p; + if (px->lbprm.tot_weight == 0) return NULL;