From: Krzysztof Piotr Oledzki Date: Sun, 4 Oct 2009 21:34:15 +0000 (+0200) Subject: [BUG] Fix NULL pointer dereference in stats_check_uri_auth(), v2 X-Git-Tag: v1.4-dev4~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f61b215247ed87371c551fc09457bfdb8b72ddc;p=thirdparty%2Fhaproxy.git [BUG] Fix NULL pointer dereference in stats_check_uri_auth(), v2 Recent "struct chunk rework" introduced a NULL pointer dereference and now haproxy segfaults if auth is required for stats but not found. The reason is that size_t cannot store negative values, but current code assumes that "len < 0" == uninitialized. This patch fixes it. --- diff --git a/include/proto/buffers.h b/include/proto/buffers.h index cec7b02fbb..e061b2c0b6 100644 --- a/include/proto/buffers.h +++ b/include/proto/buffers.h @@ -439,9 +439,9 @@ static inline void chunk_init(struct chunk *chk, char *str, size_t size) { } /* report 0 in case of error, 1 if OK. */ -static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, size_t len) { +static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, int len) { - if (len > size) + if (size && len > size) return 0; chk->str = str; diff --git a/include/types/buffers.h b/include/types/buffers.h index 133285f4c3..fc070bda16 100644 --- a/include/types/buffers.h +++ b/include/types/buffers.h @@ -149,7 +149,7 @@ struct chunk { char *str; /* beginning of the string itself. Might not be 0-terminated */ size_t size; /* total size of the buffer, 0 if the *str is read-only */ - size_t len; /* current size of the string from first to last char. <0 = uninit. */ + int len; /* current size of the string from first to last char. <0 = uninit. */ }; /* needed for a declaration below */ diff --git a/src/proto_http.c b/src/proto_http.c index 4638d09c53..8698594047 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -4596,8 +4596,7 @@ int stats_check_uri_auth(struct session *t, struct proxy *backend) int len = txn->hdr_idx.v[cur_idx].len; if (len > 14 && !strncasecmp("Authorization:", h, 14)) { - txn->auth_hdr.str = h; - txn->auth_hdr.len = len; + chunk_initlen(&txn->auth_hdr, h, 0, len); break; } h += len + txn->hdr_idx.v[cur_idx].cr + 1;