[CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the...

Cookies in indirect mode are removed from the cookie header. Three pointers
ought to be updated when appsession cookies are processed next, but were not.
The result is that a memcpy() can be called with a negative value causing the
process to crash. It is not sure whether this can be remotely exploited or not.
(cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213)

diff --git a/src/proto_http.c b/src/proto_http.c
index a65a923e88ef1a76d075af3388a32e85a2d7fe92..5385ffc2301f67992971e27731b408e00a7d99d0 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -6263,6 +6263,11 @@ void manage_client_side_cookies(struct session *t, struct buffer *req)
 
                                if (del_from != NULL) {
                                        int delta = del_hdr_value(req, &del_from, prev);
+                                       if (att_beg >= del_from)
+                                               att_beg += delta;
+                                       if (att_end >= del_from)
+                                               att_end += delta;
+                                       val_beg  += delta;
                                        val_end  += delta;
                                        next     += delta;
                                        hdr_end  += delta;