From: Willy Tarreau <w@1wt.eu>
Date: Sun, 28 Nov 2010 05:57:24 +0000 (+0100)
Subject: [BUG] http: correctly update the header list when removing two consecutive headers
X-Git-Tag: v1.5-dev8~363
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26db59ea6b1f7319f53aca34bc64c4f180247e98;p=thirdparty%2Fhaproxy.git

[BUG] http: correctly update the header list when removing two consecutive headers

When a header is removed, the previous header's next pointer is updated
to reflect the next of the current header. However, when cycling through
the loop, we update the prev pointer to point to the deleted header, which
means that if we delete another header, it's the deleted header's next
pointer that will be updated, leaving the deleted header in the list with
a null length, which is forbidden.

We must just not update the prev pointer after a removal.

This bug was present when either "reqdel" and "rspdel" removed two consecutive
headers. It could also occur when removing cookies in either requests or
responses, but since headers were the last header processing, the issue
remained unnoticed.

Issue reported by Hank A. Paulson.

This fix must be ported to 1.4 and possibly 1.3.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 5385ffc230..47bdb63297 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -5553,6 +5553,7 @@ int apply_filter_to_req_headers(struct session *t, struct buffer *req, struct hd
 				txn->hdr_idx.used--;
 				cur_hdr->len = 0;
 				cur_end = NULL; /* null-term has been rewritten */
+				cur_idx = old_idx;
 				break;
 
 			}
@@ -6325,6 +6326,7 @@ void manage_client_side_cookies(struct session *t, struct buffer *req)
 				txn->hdr_idx.v[old_idx].next = cur_hdr->next;
 				txn->hdr_idx.used--;
 				cur_hdr->len = 0;
+				cur_idx = old_idx;
 			}
 			hdr_next += delta;
 			http_msg_move_end(&txn->req, delta);
@@ -6417,6 +6419,7 @@ int apply_filter_to_resp_headers(struct session *t, struct buffer *rtr, struct h
 				txn->hdr_idx.used--;
 				cur_hdr->len = 0;
 				cur_end = NULL; /* null-term has been rewritten */
+				cur_idx = old_idx;
 				break;
 
 			}
@@ -6806,6 +6809,7 @@ void manage_server_side_cookies(struct session *t, struct buffer *res)
 						txn->hdr_idx.v[old_idx].next = cur_hdr->next;
 						txn->hdr_idx.used--;
 						cur_hdr->len = 0;
+						cur_idx = old_idx;
 						hdr_next += delta;
 						http_msg_move_end(&txn->rsp, delta);
 						/* note: while both invalid now, <next> and <hdr_end>