[CRITICAL] an empty header may lead to a crash

A missing pointer assignment in case of an empty header
will result in this header's length being 65535, causing
a SEGV when accessing the next header. It should not be
possible to exploit this problem to run arbitrary code
because the crash occurs while reading the data.

diff --git a/src/proto_http.c b/src/proto_http.c
index 5aad97d044e2a81b012abe0b2cd9e06f422c81de..c7d91d3185338d7094b4b6e9db0780925e1b116b 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1018,6 +1018,7 @@ void http_msg_analyzer(struct buffer *buf, struct http_msg *msg, struct hdr_idx
                                buf->data[msg->sov] = ' ';
                        goto http_msg_hdr_l1_sp;
                }
+               msg->eol = ptr;
                goto http_msg_complete_header;
                
        http_msg_hdr_val: