git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Willy Tarreau <w@1wt.eu>
	Wed, 25 May 2016 14:23:59 +0000 (16:23 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Wed, 25 May 2016 14:23:59 +0000 (16:23 +0200)
commit	58727ec088e55f739b146cff3baa955f8d1b2a3e
tree	515b3ea960db811f93d6150d74bc813cf780052d	tree \| snapshot
parent	1516fe31dddc9f50a8783db496072ea67db0adde	commit \| diff

BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes

Commit 108b1dd ("MEDIUM: http: configurable http result codes for
http-request deny") introduced in 1.6-dev2 was incomplete. It introduced
a new field "rule_deny_status" into struct http_txn, which is filled only
by actions "http-request deny" and "http-request tarpit". It's then used
in the deny code path to emit the proper error message, but is used
uninitialized when the deny comes from a "reqdeny" rule, causing random
behaviours ranging from returning a 200, an empty response, or crashing
the process. Often upon startup only 200 was returned but after the fields
are used the crash happens. This can be sped up using -dM.

There's no need at all for storing this status in the http_txn struct
anyway since it's used immediately after being set. Let's store it in
a temporary variable instead which is passed as an argument to function
http_req_get_intercept_rule().

As an extra benefit, removing it from struct http_txn reduced the size
of this struct by 8 bytes.

This fix must be backported to 1.6 where the bug was detected. Special
thanks to Falco Schmutz for his detailed report including an exploitable
core and a reproducer.

include/types/proto_http.h		diff \| blob \| blame \| history
src/proto_http.c		diff \| blob \| blame \| history