From: Willy Tarreau <w@1wt.eu>
Date: Fri, 26 Jan 2007 22:39:38 +0000 (+0100)
Subject: [CRITICAL] an empty header may lead to a crash
X-Git-Tag: v1.3.7~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9ebf70a3ab05b0a0c54d488f90763db256881ff;p=thirdparty%2Fhaproxy.git

[CRITICAL] an empty header may lead to a crash

A missing pointer assignment in case of an empty header
will result in this header's length being 65535, causing
a SEGV when accessing the next header. It should not be
possible to exploit this problem to run arbitrary code
because the crash occurs while reading the data.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 5aad97d044..c7d91d3185 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1018,6 +1018,7 @@ void http_msg_analyzer(struct buffer *buf, struct http_msg *msg, struct hdr_idx
 				buf->data[msg->sov] = ' ';
 			goto http_msg_hdr_l1_sp;
 		}
+		msg->eol = ptr;
 		goto http_msg_complete_header;
 		
 	http_msg_hdr_val: