From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 3 Aug 2022 09:31:55 +0000 (+0200)
Subject: BUG/MEDIUM: proxy: Perform a custom copy for default server settings
X-Git-Tag: v2.7-dev3~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bb86539dbe66b79e011b287c8b750f2e4ee62a0;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: proxy: Perform a custom copy for default server settings

When a proxy is initialized with the settings of the default proxy, instead
of doing a raw copy of the default server settings, a custom copy is now
performed by calling srv_settings_copy(). This way, all settings will be
really duplicated. Without this deep copy, some pointers are shared between
several servers, leading to UAF, double-free or such bugs.

This patch relies on following commits:

  * b32cb9b51 REORG: server: Export srv_settings_cpy() function
  * 0b365e3cb MINOR: server: Constify source server to copy its settings

This patch should fix the issue #1804. It must be backported as far as 2.0.
---

diff --git a/src/proxy.c b/src/proxy.c
index e38970106d..7a2d400567 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -1631,7 +1631,7 @@ static int proxy_defproxy_cpy(struct proxy *curproxy, const struct proxy *defpro
 	char *tmpmsg = NULL;
 
 	/* set default values from the specified default proxy */
-	memcpy(&curproxy->defsrv, &defproxy->defsrv, sizeof(curproxy->defsrv));
+	srv_settings_cpy(&curproxy->defsrv, &defproxy->defsrv, 0);
 
 	curproxy->flags = (defproxy->flags & PR_FL_DISABLED); /* Only inherit from disabled flag */
 	curproxy->options = defproxy->options;