BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records

Records with a stream ID set to 0 are reserved to management records.
However there was no check to trigger an error if an application record is
received with a stream ID to 0. This could lead to crash becausqe management
streams (which are static and immutable) can be modified while processing
application records (STDOUT/STDERR/END_REQUEST).

To fix the issue, An error is returned if the stream ID 0 is set on
GET_VALUES_RESULT or UNKNOWN_TYPE records.

This patch must be backported to all stable versions.

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index 8838be95dddad30ef30cc8214bab1c16ec7c01c6..7bd5d82de5be3d37c01265956de34219dc818fb2 100644 (file)
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -2644,6 +2644,16 @@ static void fcgi_process_demux(struct fcgi_conn *fconn)
                }
                fstrm = tmp_fstrm;
 
+               if (fconn->dsi == 0 && fconn->drt != FCGI_GET_VALUES_RESULT && fconn->drt != FCGI_UNKNOWN_TYPE) {
+                       /* Stream ID 0 is reserved for management records and
+                        * must not used for application record type.
+                        */
+                       fconn->state = FCGI_CS_CLOSED;
+                       TRACE_ERROR("Application record with SID 0", FCGI_EV_RX_RECORD|FCGI_EV_RX_FHDR|FCGI_EV_RX_GETVAL|FCGI_EV_FCONN_ERR, fconn->conn);
+                       TRACE_STATE("switching to CLOSED", FCGI_EV_RX_RECORD|FCGI_EV_RX_FHDR|FCGI_EV_RX_GETVAL|FCGI_EV_FCONN_ERR, fconn->conn);
+                       goto fail;
+               }
+
                if (fstrm->state == FCGI_SS_CLOSED && fconn->dsi != 0) {
                        /* ignore all record for closed streams */
                        goto ignore_record;