BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers

Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still
happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY
headers.

This fix needs to be backported to 1.5 and 1.6.

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

diff --git a/src/proto_http.c b/src/proto_http.c
index b7654a67a565d8aee919822ca99915666d458f1d..7abe4931eb54056f45bb8bf36e941e8d1989be13 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8537,10 +8537,13 @@ unsigned int http_get_fhdr(const struct http_msg *msg, const char *hname, int hl
        }
        if (-occ > found)
                return 0;
+
        /* OK now we have the last occurrence in [hist_ptr-1], and we need to
-        * find occurrence -occ, so we have to check [hist_ptr+occ].
+        * find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have
+        * -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ]
+        * to remain in the 0..9 range.
         */
-       hist_ptr += occ;
+       hist_ptr += occ + MAX_HDR_HISTORY;
        if (hist_ptr >= MAX_HDR_HISTORY)
                hist_ptr -= MAX_HDR_HISTORY;
        *vptr = ptr_hist[hist_ptr];