From: Nenad Merdanovic Date: Tue, 29 Mar 2016 11:14:30 +0000 (+0200) Subject: BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers X-Git-Tag: v1.7-dev3~90 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69ad4b997701b08e9de48fce4dc4ceeb7d80cb32;p=thirdparty%2Fhaproxy.git BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY headers. This fix needs to be backported to 1.5 and 1.6. Signed-off-by: Nenad Merdanovic --- diff --git a/src/proto_http.c b/src/proto_http.c index b7654a67a5..7abe4931eb 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -8537,10 +8537,13 @@ unsigned int http_get_fhdr(const struct http_msg *msg, const char *hname, int hl } if (-occ > found) return 0; + /* OK now we have the last occurrence in [hist_ptr-1], and we need to - * find occurrence -occ, so we have to check [hist_ptr+occ]. + * find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have + * -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ] + * to remain in the 0..9 range. */ - hist_ptr += occ; + hist_ptr += occ + MAX_HDR_HISTORY; if (hist_ptr >= MAX_HDR_HISTORY) hist_ptr -= MAX_HDR_HISTORY; *vptr = ptr_hist[hist_ptr];