git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Willy Tarreau <w@1wt.eu>
	Thu, 8 Jan 2015 10:34:55 +0000 (11:34 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Wed, 14 Jan 2015 11:04:34 +0000 (12:04 +0100)
commit	0428a146c0ee776f7c89359e8aed0d755ffbad07
tree	a4cf01af99e665071f7e0d9a7e5a8173863171b2	tree \| snapshot
parent	75abcb3106e2c27ef983df885558cf94e01f717a	commit \| diff

BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation

The buffer_max_len() function is subject to an integer overflow in this
calculus :

    int ret = global.tune.maxrewrite - chn->to_forward - chn->buf->o;

  - chn->to_forward may be up to 2^31 - 1
  - chn->buf->o may be up to chn->buf->size
  - global.tune.maxrewrite is by definition smaller than chn->buf->size

Thus here we can subtract (2^31 + buf->o) (highly negative) from something
slightly positive, and result in ret being larger than expected.

Fortunately in 1.5 and 1.6, this is only used by bi_avail() which itself
is used by applets which do not set high values for to_forward so this
problem does not happen there. However in 1.4 the equivalent computation
was used to limit the size of a read and can result in a read overflow
when combined with the nasty http-send-name-header feature.

This fix must be backported to 1.5 and 1.4.