BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer

This is the same fix as which concerning the redirect rules (0d94576c).

The buffer used to expand the <replace-fmt> argument must be protected to
prevent it being overwritten during build_logline() execution (the function used
to expand the format string).

This patch should be backported in 1.7, 1.6 and 1.5. It relies on commit b686afd
("MINOR: chunks: implement a simple dynamic allocator for trash buffers") for
the trash allocator, which has to be backported as well.

diff --git a/src/proto_http.c b/src/proto_http.c
index 80ba5660b4833e5ce6d6e0cba44ac44a4daab6c7..3d8005e627447fa8cf03ff254ad544723c699312 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3419,13 +3419,22 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
                                  struct list *fmt, struct my_regex *re,
                                  int action)
 {
-       struct chunk *replace = get_trash_chunk();
+       struct chunk *replace;
+       int ret = -1;
+
+       replace = alloc_trash_chunk();
+       if (!replace)
+               goto leave;
 
        replace->len = build_logline(s, replace->str, replace->size, fmt);
        if (replace->len >= replace->size - 1)
-               return -1;
+               goto leave;
+
+       ret = http_transform_header_str(s, msg, name, name_len, replace->str, re, action);
 
-       return http_transform_header_str(s, msg, name, name_len, replace->str, re, action);
+  leave:
+       free_trash_chunk(replace);
+       return ret;
 }
 
 /* Executes the http-request rules <rules> for stream <s>, proxy <px> and