BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer

When the "path" sample fetch function is called without any path, the
function doesn't check that the request buffer is allocated. While this
doesn't happen with the request during processing, it can definitely
happen when mistakenly trying to reference a path from the response
since the request channel is not allocated anymore.

It's certain that this bug was emphasized by the buffer changes that
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
seem 100% safe either so it's possible that older version are affected
as well.

Thanks to PiBa-NL for reporting this bug with a reproducer.

diff --git a/src/proto_http.c b/src/proto_http.c
index 39900deac17e57da620d3801bdf32dd7bb16e202..a8a1728a8d4ef486ab2d1de802148c3456b81dce 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -440,6 +440,9 @@ char *http_txn_get_path(const struct http_txn *txn)
 {
        struct ist ret;
 
+       if (!txn->req.chn->buf.size)
+               return NULL;
+
        ret = http_get_path(ist2(ci_head(txn->req.chn) + txn->req.sl.rq.u, txn->req.sl.rq.u_l));
 
        return ret.ptr;