44 lines
1.7 KiB
Plaintext
44 lines
1.7 KiB
Plaintext
$OpenBSD: patch-src_proto_http_c,v 1.1 2013/04/03 06:23:25 jasper Exp $
|
|
|
|
Security fix for CVE-2013-1912, haproxy may crash on TCP content inspection rules
|
|
BUG/CRITICAL: using HTTP information in tcp-request content may crash the process
|
|
|
|
--- src/proto_http.c.orig Tue Aug 14 09:09:31 2012
|
|
+++ src/proto_http.c Wed Apr 3 08:20:41 2013
|
|
@@ -8278,6 +8278,14 @@ acl_fetch_proto_http(struct proxy *px, struct session
|
|
return 1;
|
|
}
|
|
|
|
+ /* If the buffer does not leave enough free space at the end,
|
|
+ * we must first realign it.
|
|
+ */
|
|
+ if (unlikely(req->lr > req->data &&
|
|
+ (req->r < req->lr || req->r > req->data + req->size - global.tune.maxrewrite)) &&
|
|
+ (req->l <= req->size - global.tune.maxrewrite))
|
|
+ http_buffer_heavy_realign(req, msg);
|
|
+
|
|
/* Try to decode HTTP request */
|
|
if (likely(req->lr < req->r))
|
|
http_msg_analyzer(req, msg, &txn->hdr_idx);
|
|
@@ -8295,6 +8303,20 @@ acl_fetch_proto_http(struct proxy *px, struct session
|
|
/* OK we got a valid HTTP request. We have some minor preparation to
|
|
* perform so that further checks can rely on HTTP tests.
|
|
*/
|
|
+
|
|
+ /* If the request was parsed but was too large, we must absolutely
|
|
+ * return an error so that it is not processed. At the moment this
|
|
+ * cannot happen, but if the parsers are to change in the future,
|
|
+ * we want this check to be maintained.
|
|
+ */
|
|
+ if (unlikely(req->lr > req->data &&
|
|
+ (req->r < req->lr || req->l > req->size - global.tune.maxrewrite ||
|
|
+ req->r > req->data + req->size - global.tune.maxrewrite))) {
|
|
+ msg->msg_state = HTTP_MSG_ERROR;
|
|
+ test->flags |= ACL_TEST_F_SET_RES_PASS;
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
txn->meth = find_http_meth(msg->sol, msg->sl.rq.m_l);
|
|
if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)
|
|
s->flags |= SN_REDIRECTABLE;
|