BUG/MAJOR: cache/htx: Set the start-line offset when a cached object is served

When the function htx_add_stline() is used, this offset is automatically set
when necessary. But the HTX cache applet adds all header blocks of the responses
manually, including the start-line. So its offset must be explicitly set by the
applet.

When everything goes well, the HTTP analyzer http_wait_for_response() looks for
the start-line in the HTX messages, calling http_find_stline(). If necessary,
the start-line offet will also be automatically set during this stage. So the
bug of the HTX cache applet does not hurt most of the time. But, when an error
occurred, HTTP responses analyzers can be bypassed. In such caese, the
start-line offset of cached responses remains unset.

Some part of the code relies on the start-line offset to process the HTX
messages. Among others, when H2 responses are sent to clients, the H2
multiplexer read the start-line without any check, because it _MUST_ always be
there. if its offset is not set, a NULL pointer is dereferenced leading to a
segfault.

The patch must be backported to 1.9.

diff --git a/src/cache.c b/src/cache.c
index 698395f157b32b7708df03bb4a6096f33e37a2a3..074c43bc4d2b687c3320cac8a91659e9dbbc36fd 100644 (file)
--- a/src/cache.c
+++ b/src/cache.c
@@ -913,6 +913,10 @@ static size_t htx_cache_dump_headers(struct appctx *appctx, struct htx *htx)
                if (!blk)
                        return 0;
 
+               /* Set the start-line offset */
+               if (type == HTX_BLK_RES_SL)
+                       htx->sl_off = blk->addr;
+
                /* Copy info and data */
                blk->info = info;
                memcpy(htx_get_blk_ptr(htx, blk), b_peek(tmp, offset+4), sz);