]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cef5c8e)
BUG/MEDIUM: h2: fix aggregated cookie length computation in HTX mode
authorWilly Tarreau <w@1wt.eu>
Tue, 18 Dec 2018 10:00:41 +0000 (11:00 +0100)
committerWilly Tarreau <w@1wt.eu>
Tue, 18 Dec 2018 10:03:11 +0000 (11:03 +0100)
Cyril Bonté reported a bug in the way the cookie length is computed
when aggregating multiple cookies : the first cookie name was counted
as part of the value length, causing random contents to be placed there,
possibly leading to bad requests.

No backport is needed.

src/h2.c patch | blob | blame | history

diff --git a/src/h2.c b/src/h2.c
index 1b784fd4aba2dbad91db156612243e93aa34e5f3..883075262bdd3803a45b96db232843b051e017b0 100644 (file)
--- a/src/h2.c
+++ b/src/h2.c
@@ -537,29 +537,32 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
                uint32_t fs; // free space
                uint32_t bs; // block size
                uint32_t vl; // value len
+               uint32_t tl; // total length
                struct htx_blk *blk;
 
                blk = htx_add_header(htx, ist("cookie"), list[ck].v);
                if (!blk)
                        goto fail;
 
+               tl = list[ck].v.len;
                fs = htx_free_data_space(htx);
                bs = htx_get_blksz(blk);
 
                /* for each extra cookie, we'll extend the cookie's value and
                 * insert "; " before the new value.
                 */
-               for ( ; (ck = list[ck].n.len) >= 0 ; ) {
+               fs += tl; // first one is already counted
+               for (; (ck = list[ck].n.len) >= 0 ; ) {
                        vl = list[ck].v.len;
-                       if (vl + 2 > fs)
+                       tl += vl + 2;
+                       if (tl > fs)
                                goto fail;
 
-                       htx_set_blk_value_len(blk, bs + 2 + vl);
+                       htx_set_blk_value_len(blk, tl);
                        *(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';';
                        *(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' ';
                        memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl);
                        bs += vl + 2;
-                       fs -= vl + 2;
                }
 
        }
Mirror of https://github.com/haproxy/haproxy.git