BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies

Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
header is found then the while(1) loop in
http_manage_server_side_cookies() will never terminate, resulting in
the watchdog firing and the process terminating via SIGABRT.

The while(1) loop becomes unbounded because an unmatched call to
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
calls to check for "Set-Cookie2" will now enumerate from the beginning
of all the blocks and will once again match on subsequent
passes (assuming a match first time around), hence the loop becoming
unbounded.

This issue was introduced with HTX and this fix should be backported
to all versions supporting HTX.

Many thanks to Grant Spence (gspence@redhat.com) for working through
this issue with me.

diff --git a/src/http_ana.c b/src/http_ana.c
index 715dd3a5c58e5002b2eae44e42e3b40d5f12fd25..c2d9d9b439aedaecaaee7dbc080fd41bd2f53aa4 100644 (file)
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
        while (1) {
                int is_first = 1;
 
-               if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
+               if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
                        if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
                                break;
                        is_cookie2 = 1;