BUG/MINOR: config: check capture pool creations for failures

A few capture pools can fail in case of too large values for example.
These include the req_uri, capture, and caphdr pools, and may be triggered
with "tune.http.logurilen 2147483647" in the global section, or one of
these in a frontend:

  capture request header name len 2147483647
  http-request capture src len 2147483647
  tcp-request content capture src len 2147483647

These seem to be the only occurrences where create_pool()'s return value
is assigned without being checked, so let's add the proper check for
errors there. This can be backported as a hardening measure though the
risks and impacts are extremely low.

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 1940330a780debf500a8f891d34fb373953769f4..52a4cb8fe0581068e7f7301484e43c6422f7e2b9 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2324,6 +2324,12 @@ int check_config_validity()
 
        pool_head_capture = create_pool("capture", global.tune.cookie_len, MEM_F_SHARED);
 
+       /* both will have already emitted an error message if needed */
+       if (!pool_head_requri || !pool_head_capture) {
+               err_code |= ERR_ALERT | ERR_FATAL;
+               goto out;
+       }
+
        /* Post initialisation of the users and groups lists. */
        err_code = userlist_postinit();
        if (err_code != ERR_NONE)

diff --git a/src/http_act.c b/src/http_act.c
index 2adf6fccaaa10fc0d9f83717aa5ec70f025a20e4..bfe8321d82ca21901d40ae7a17527eee5771022a 100644 (file)
--- a/src/http_act.c
+++ b/src/http_act.c
@@ -960,6 +960,12 @@ static enum act_parse_ret parse_http_req_capture(const char **args, int *orig_ar
                hdr->namelen = 0;
                hdr->len = len;
                hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
+               if (!hdr->pool) {
+                       memprintf(err, "out of memory");
+                       free(hdr);
+                       release_sample_expr(expr);
+                       return ACT_RET_PRS_ERR;
+               }
                hdr->index = px->nb_req_cap++;
 
                px->req_cap = hdr;

diff --git a/src/proxy.c b/src/proxy.c
index 41cb8042df5dd1ad271950842a296588cb22ed75..d3b7c0f93fffeb0e7ccca97c8b0e7df8c144dfa7 100644 (file)
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -878,6 +878,11 @@ static int proxy_parse_declare(char **args, int section, struct proxy *curpx,
                hdr->namelen = 0;
                hdr->len = len;
                hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
+               if (!hdr->pool) {
+                       memprintf(err, "out of memory");
+                       free(hdr);
+                       return -1;
+               }
 
                if (strcmp(args[2], "request") == 0) {
                        hdr->next = curpx->req_cap;

diff --git a/src/tcp_rules.c b/src/tcp_rules.c
index dd2fb74cf640fce76f667a6e7fd000aafc8d435e..68b01a496d8beb2d38cf8e4440c129e098dd99a1 100644 (file)
--- a/src/tcp_rules.c
+++ b/src/tcp_rules.c
@@ -970,6 +970,12 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type,
                hdr->namelen = 0;
                hdr->len = len;
                hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
+               if (!hdr->pool) {
+                       memprintf(err, "parsing [%s:%d] : out of memory", file, line);
+                       free(hdr);
+                       release_sample_expr(expr);
+                       return -1;
+               }
                hdr->index = curpx->nb_req_cap++;
 
                curpx->req_cap = hdr;