From: Willy Tarreau Date: Mon, 26 Jan 2026 10:13:29 +0000 (+0100) Subject: BUG/MINOR: config: check capture pool creations for failures X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e7c07736a10ac8e896a1fc8d9f5572f515db282;p=thirdparty%2Fhaproxy.git BUG/MINOR: config: check capture pool creations for failures A few capture pools can fail in case of too large values for example. These include the req_uri, capture, and caphdr pools, and may be triggered with "tune.http.logurilen 2147483647" in the global section, or one of these in a frontend: capture request header name len 2147483647 http-request capture src len 2147483647 tcp-request content capture src len 2147483647 These seem to be the only occurrences where create_pool()'s return value is assigned without being checked, so let's add the proper check for errors there. This can be backported as a hardening measure though the risks and impacts are extremely low. --- diff --git a/src/cfgparse.c b/src/cfgparse.c index 1940330a7..52a4cb8fe 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2324,6 +2324,12 @@ int check_config_validity() pool_head_capture = create_pool("capture", global.tune.cookie_len, MEM_F_SHARED); + /* both will have already emitted an error message if needed */ + if (!pool_head_requri || !pool_head_capture) { + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + /* Post initialisation of the users and groups lists. */ err_code = userlist_postinit(); if (err_code != ERR_NONE) diff --git a/src/http_act.c b/src/http_act.c index 2adf6fcca..bfe8321d8 100644 --- a/src/http_act.c +++ b/src/http_act.c @@ -960,6 +960,12 @@ static enum act_parse_ret parse_http_req_capture(const char **args, int *orig_ar hdr->namelen = 0; hdr->len = len; hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED); + if (!hdr->pool) { + memprintf(err, "out of memory"); + free(hdr); + release_sample_expr(expr); + return ACT_RET_PRS_ERR; + } hdr->index = px->nb_req_cap++; px->req_cap = hdr; diff --git a/src/proxy.c b/src/proxy.c index 41cb8042d..d3b7c0f93 100644 --- a/src/proxy.c +++ b/src/proxy.c @@ -878,6 +878,11 @@ static int proxy_parse_declare(char **args, int section, struct proxy *curpx, hdr->namelen = 0; hdr->len = len; hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED); + if (!hdr->pool) { + memprintf(err, "out of memory"); + free(hdr); + return -1; + } if (strcmp(args[2], "request") == 0) { hdr->next = curpx->req_cap; diff --git a/src/tcp_rules.c b/src/tcp_rules.c index dd2fb74cf..68b01a496 100644 --- a/src/tcp_rules.c +++ b/src/tcp_rules.c @@ -970,6 +970,12 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, hdr->namelen = 0; hdr->len = len; hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED); + if (!hdr->pool) { + memprintf(err, "parsing [%s:%d] : out of memory", file, line); + free(hdr); + release_sample_expr(expr); + return -1; + } hdr->index = curpx->nb_req_cap++; curpx->req_cap = hdr;