From 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 28 Oct 2018 20:13:12 +0100
Subject: [PATCH] BUG/MAJOR: http: http_txn_get_path() may deference an
 inexisting buffer

When the "path" sample fetch function is called without any path, the
function doesn't check that the request buffer is allocated. While this
doesn't happen with the request during processing, it can definitely
happen when mistakenly trying to reference a path from the response
since the request channel is not allocated anymore.

It's certain that this bug was emphasized by the buffer changes that
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
seem 100% safe either so it's possible that older version are affected
as well.

Thanks to PiBa-NL for reporting this bug with a reproducer.
---
 src/proto_http.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/proto_http.c b/src/proto_http.c
index 39900deac1..a8a1728a8d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -440,6 +440,9 @@ char *http_txn_get_path(const struct http_txn *txn)
 {
 	struct ist ret;
 
+	if (!txn->req.chn->buf.size)
+		return NULL;
+
 	ret = http_get_path(ist2(ci_head(txn->req.chn) + txn->req.sl.rq.u, txn->req.sl.rq.u_l));
 
 	return ret.ptr;
-- 
2.47.2