BUG/MEDIUM: proxy: Perform a custom copy for default server settings

When a proxy is initialized with the settings of the default proxy, instead
of doing a raw copy of the default server settings, a custom copy is now
performed by calling srv_settings_copy(). This way, all settings will be
really duplicated. Without this deep copy, some pointers are shared between
several servers, leading to UAF, double-free or such bugs.

This patch relies on following commits:

  * b32cb9b51 REORG: server: Export srv_settings_cpy() function
  * 0b365e3cb MINOR: server: Constify source server to copy its settings

This patch should fix the issue #1804. It must be backported as far as 2.0.

diff --git a/src/proxy.c b/src/proxy.c
index e38970106d355f41044c10c7badcc6357a5d7d48..7a2d40056717e5615920e4f47f9efb9779f76d0d 100644 (file)
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -1631,7 +1631,7 @@ static int proxy_defproxy_cpy(struct proxy *curproxy, const struct proxy *defpro
        char *tmpmsg = NULL;
 
        /* set default values from the specified default proxy */
-       memcpy(&curproxy->defsrv, &defproxy->defsrv, sizeof(curproxy->defsrv));
+       srv_settings_cpy(&curproxy->defsrv, &defproxy->defsrv, 0);
 
        curproxy->flags = (defproxy->flags & PR_FL_DISABLED); /* Only inherit from disabled flag */
        curproxy->options = defproxy->options;