From: Willy Tarreau <w@1wt.eu>
Date: Sun, 28 Oct 2018 19:13:12 +0000 (+0100)
Subject: BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
X-Git-Tag: v1.9-dev5~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d9ccdbf8b1178fefa2843c83bc6612733f9eca6;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer

When the "path" sample fetch function is called without any path, the
function doesn't check that the request buffer is allocated. While this
doesn't happen with the request during processing, it can definitely
happen when mistakenly trying to reference a path from the response
since the request channel is not allocated anymore.

It's certain that this bug was emphasized by the buffer changes that
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
seem 100% safe either so it's possible that older version are affected
as well.

Thanks to PiBa-NL for reporting this bug with a reproducer.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 39900deac1..a8a1728a8d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -440,6 +440,9 @@ char *http_txn_get_path(const struct http_txn *txn)
 {
 	struct ist ret;
 
+	if (!txn->req.chn->buf.size)
+		return NULL;
+
 	ret = http_get_path(ist2(ci_head(txn->req.chn) + txn->req.sl.rq.u, txn->req.sl.rq.u_l));
 
 	return ret.ptr;