From: Tristan Madani <tristan@talencesecurity.com>
Date: Tue, 16 Jun 2026 08:46:03 +0000 (+0200)
Subject: BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5985276735777634d8c85f1d73bb7764aab0d6dd;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp

The FCGI demux record length field (drl) is uint16_t. In the
ignore_record path, the expression "fconn->drl += fconn->drp" overflows
to 0 when contentLength=65535 and paddingLength>=1. This causes the
state machine to consider the record complete without consuming any
buffer data. The remaining buffer contents are then parsed as new FCGI
record headers.

The same drl+=drp pattern at lines 2382/2418/2475 is not affected
because drl is guaranteed to be 0 at those points (all content bytes
are consumed before reaching end_transfer).

Widen drl from uint16_t to uint32_t so that the addition of drp
(uint8_t, max 255) cannot overflow.

Reported-by: Tristan (@TristanInSec)
---

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index c956b58ad..8d81ff849 100644
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -54,7 +54,7 @@ struct fcgi_conn {
 	uint32_t flags;                      /* Connection flags: FCGI_CF_* */
 
 	int16_t  dsi;                        /* dmux stream ID (<0 = idle ) */
-	uint16_t drl;                        /* demux record length (if dsi >= 0) */
+	uint32_t drl;                        /* demux record length (if dsi >= 0) */
 	uint8_t  drt;                        /* demux record type (if dsi >= 0) */
 	uint8_t  drp;                        /* demux record padding (if dsi >= 0) */