From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 4 Mar 2026 13:53:04 +0000 (+0100)
Subject: BUG/MAJOR: fcgi: Fix param decoding by properly checking its size
X-Git-Tag: v3.4-dev6~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=96286b2a8440e98c43c5a027a3f820ca327cb1e5;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: fcgi: Fix param decoding by properly checking its size

In functions used to decode a FCGI parameter, the test on the data length
before reading the parameter's name and value did not consider the offset
value used to skip already parsed data. So it was possible to read more data
than available (OOB read). To do so, a malicious FCGI server must send a
forged GET_VALUES_RESULT record containing a parameter with wrong name/value
length.

Thank you to Kamil Frankowicz for having reported this.

This patch must be backported to all stable versions.
---

diff --git a/src/fcgi.c b/src/fcgi.c
index 1d1a82b4c..0ff76156f 100644
--- a/src/fcgi.c
+++ b/src/fcgi.c
@@ -198,7 +198,7 @@ size_t fcgi_decode_param(const struct buffer *in, size_t o, struct fcgi_param *p
 		len += 4;
 	}
 
-	if (data < nlen + vlen)
+	if (data < o + nlen + vlen)
 		return 0;
 
 	p->n = ist2(b_peek(in, o), nlen);
@@ -253,7 +253,7 @@ size_t fcgi_aligned_decode_param(const struct buffer *in, size_t o, struct fcgi_
 		len += 4;
 	}
 
-	if (data < nlen + vlen)
+	if (data < o + nlen + vlen)
 		return 0;
 
 	p->n = ist2(in->area + o, nlen);