From: Christopher Faulet Date: Wed, 8 Feb 2017 11:17:07 +0000 (+0100) Subject: BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer X-Git-Tag: v1.8-dev1~140 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07a0fec;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer This is the same fix as which concerning the redirect rules (0d94576c). The buffer used to expand the argument must be protected to prevent it being overwritten during build_logline() execution (the function used to expand the format string). This patch should be backported in 1.7, 1.6 and 1.5. It relies on commit b686afd ("MINOR: chunks: implement a simple dynamic allocator for trash buffers") for the trash allocator, which has to be backported as well. --- diff --git a/src/proto_http.c b/src/proto_http.c index 80ba5660b4..3d8005e627 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -3419,13 +3419,22 @@ static int http_transform_header(struct stream* s, struct http_msg *msg, struct list *fmt, struct my_regex *re, int action) { - struct chunk *replace = get_trash_chunk(); + struct chunk *replace; + int ret = -1; + + replace = alloc_trash_chunk(); + if (!replace) + goto leave; replace->len = build_logline(s, replace->str, replace->size, fmt); if (replace->len >= replace->size - 1) - return -1; + goto leave; + + ret = http_transform_header_str(s, msg, name, name_len, replace->str, re, action); - return http_transform_header_str(s, msg, name, name_len, replace->str, re, action); + leave: + free_trash_chunk(replace); + return ret; } /* Executes the http-request rules for stream , proxy and