Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2016-08-03 11:43:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2016-06-14 23:07:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2016-08-03 11:43:12.000000000 +0200 @@ -1,0 +2,76 @@ +Tue Jul 19 01:50:28 UTC 2016 - [email protected] + +- update to 1.6.7 + - MINOR: new function my_realloc2 = realloc + free upon failure + - CLEANUP: fixed some usages of realloc leading to memory leak + - Revert "BUG/MINOR: ssl: fix potential memory leak in + ssl_sock_load_dh_params()" + - BUG/MEDIUM: dns: fix alignment issues in the DNS response + parser + - BUG/MINOR: Fix endiness issue in DNS header creation code +- changes from 1.6.6 + - BUG/MAJOR: fix listening IP address storage for frontends + - BUG/MINOR: fix listening IP address storage for frontends + (cont) + - DOC: Fix typo so fetch is properly parsed by Cyril's converter + - BUG/MAJOR: http: fix breakage of "reqdeny" causing random + crashes + - BUG/MEDIUM: stick-tables: fix breakage in table converters + - BUG/MEDIUM: dns: unbreak DNS resolver after header fix + - BUILD: fix build on Solaris 11 + - CLEANUP: connection: fix double negation on memcmp() + - BUG/MEDIUM: stats: show servers state may show an servers from + another backend + - BUG/MEDIUM: fix risk of segfault with "show tls-keys" + - BUG/MEDIUM: sticktables: segfault in some configuration error + cases + - BUG/MEDIUM: lua: converters doesn't work + - BUG/MINOR: http: add-header: header name copied twice + - BUG/MEDIUM: http: add-header: buffer overwritten + - BUG/MINOR: ssl: fix potential memory leak in + ssl_sock_load_dh_params() + - BUG/MINOR: http: url32+src should use the big endian version of + url32 + - BUG/MINOR: http: url32+src should check cli_conn before using + it + - DOC: http: add documentation for url32 and url32+src + - BUG/MINOR: fix http-response set-log-level parsing error + - MINOR: systemd: Use variable for config and pidfile paths + - MINOR: systemd: Perform sanity check on config before reload + (cherry picked from commit + 68535bddf305fdd22f1449a039939b57245212e7) + - BUG/MINOR: init: always ensure that global.rlimit_nofile + matches actual limits + - BUG/MINOR: init: ensure that FD limit is raised to the max + allowed + - BUG/MEDIUM: external-checks: close all FDs right after the + fork() + - BUG/MAJOR: external-checks: use asynchronous signal delivery + - BUG/MINOR: external-checks: do not unblock undesired signals + - BUILD/MEDIUM: rebuild everything when an include file is + changed + - BUILD/MEDIUM: force a full rebuild if some build options change + - BUG/MINOR: srv-state: fix incorrect output of state file + - BUG/MINOR: ssl: close ssl key file on error + - BUG/MINOR: http: fix misleading error message for response + captures + - BUG/BUILD: don't automatically run "make" on "make install" + - DOC: add missing doc for + http-request deny [deny_status <status>] +- drop patches which were pulled from git before + 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch + 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch + 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch + 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch + 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch + 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch + 0007-BUILD-fix-build-on-Solaris-11.patch + 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch + 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch + 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch + 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch + 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch + 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch + 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch + +------------------------------------------------------------------- Old: ---- 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch haproxy-1.6.5.tar.gz New: ---- haproxy-1.6.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.H2eTA4/_old 2016-08-03 11:43:13.000000000 +0200 +++ /var/tmp/diff_new_pack.H2eTA4/_new 2016-08-03 11:43:13.000000000 +0200 @@ -41,7 +41,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.6.5 +Version: 1.6.7 Release: 0 # # @@ -74,20 +74,6 @@ Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch -Patch11: 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch -Patch12: 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch -Patch13: 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch -Patch14: 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch -Patch15: 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch -Patch16: 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch -Patch17: 0007-BUILD-fix-build-on-Solaris-11.patch -Patch18: 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch -Patch19: 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch -Patch20: 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch -Patch21: 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch -Patch22: 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch -Patch23: 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch -Patch24: 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch # Source99: haproxy-rpmlintrc # @@ -121,20 +107,6 @@ %patch1 -p1 %patch2 %patch3 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 %build %{__make} \ ++++++ haproxy-1.6.5.tar.gz -> haproxy-1.6.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/CHANGELOG new/haproxy-1.6.7/CHANGELOG --- old/haproxy-1.6.5/CHANGELOG 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/CHANGELOG 2016-07-13 19:57:01.000000000 +0200 @@ -1,6 +1,48 @@ ChangeLog : =========== +2016/07/13 : 1.6.7 + - MINOR: new function my_realloc2 = realloc + free upon failure + - CLEANUP: fixed some usages of realloc leading to memory leak + - Revert "BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()" + - BUG/MEDIUM: dns: fix alignment issues in the DNS response parser + - BUG/MINOR: Fix endiness issue in DNS header creation code + +2016/06/26 : 1.6.6 + - BUG/MAJOR: fix listening IP address storage for frontends + - BUG/MINOR: fix listening IP address storage for frontends (cont) + - DOC: Fix typo so fetch is properly parsed by Cyril's converter + - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes + - BUG/MEDIUM: stick-tables: fix breakage in table converters + - BUG/MEDIUM: dns: unbreak DNS resolver after header fix + - BUILD: fix build on Solaris 11 + - CLEANUP: connection: fix double negation on memcmp() + - BUG/MEDIUM: stats: show servers state may show an servers from another backend + - BUG/MEDIUM: fix risk of segfault with "show tls-keys" + - BUG/MEDIUM: sticktables: segfault in some configuration error cases + - BUG/MEDIUM: lua: converters doesn't work + - BUG/MINOR: http: add-header: header name copied twice + - BUG/MEDIUM: http: add-header: buffer overwritten + - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params() + - BUG/MINOR: http: url32+src should use the big endian version of url32 + - BUG/MINOR: http: url32+src should check cli_conn before using it + - DOC: http: add documentation for url32 and url32+src + - BUG/MINOR: fix http-response set-log-level parsing error + - MINOR: systemd: Use variable for config and pidfile paths + - MINOR: systemd: Perform sanity check on config before reload (cherry picked from commit 68535bddf305fdd22f1449a039939b57245212e7) + - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual limits + - BUG/MINOR: init: ensure that FD limit is raised to the max allowed + - BUG/MEDIUM: external-checks: close all FDs right after the fork() + - BUG/MAJOR: external-checks: use asynchronous signal delivery + - BUG/MINOR: external-checks: do not unblock undesired signals + - BUILD/MEDIUM: rebuild everything when an include file is changed + - BUILD/MEDIUM: force a full rebuild if some build options change + - BUG/MINOR: srv-state: fix incorrect output of state file + - BUG/MINOR: ssl: close ssl key file on error + - BUG/MINOR: http: fix misleading error message for response captures + - BUG/BUILD: don't automatically run "make" on "make install" + - DOC: add missing doc for http-request deny [deny_status <status>] + 2016/05/10 : 1.6.5 - BUG/MINOR: log: Don't use strftime() which can clobber timezone if chrooted - BUILD: namespaces: fix a potential build warning in namespaces.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/Makefile new/haproxy-1.6.7/Makefile --- old/haproxy-1.6.5/Makefile 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/Makefile 2016-07-13 19:57:01.000000000 +0200 @@ -49,6 +49,7 @@ # ARCH may be useful to force build of 32-bit binary on 64-bit systems # CFLAGS is automatically set for the specified CPU and may be overridden. # LDFLAGS is automatically set to -g and may be overridden. +# DEP may be cleared to ignore changes to include files during development # SMALL_OPTS may be used to specify some options to shrink memory usage. # DEBUG may be used to set some internal debugging options. # ADDINC may be used to complete the include path in the form -Ipath. @@ -759,6 +760,13 @@ # Not used right now LIB_EBTREE = $(EBTREE_DIR)/libebtree.a +# Used only for forced dependency checking. May be cleared during development. +INCLUDES = $(wildcard include/*/*.h ebtree/*.h) +DEP = $(INCLUDES) .build_opts + +# Used only to force a rebuild if some build options change +.build_opts: $(shell rm -f .build_opts.new; echo \'$(TARGET) $(BUILD_OPTIONS) $(VERBOSE_CFLAGS)\' > .build_opts.new; if cmp -s .build_opts .build_opts.new; then rm -f .build_opts.new; else mv -f .build_opts.new .build_opts; fi) + haproxy: $(OBJS) $(OPTIONS_OBJS) $(EBTREE_OBJS) $(LD) $(LDFLAGS) -o $@ $^ $(LDOPTS) @@ -771,13 +779,13 @@ objsize: haproxy @objdump -t $^|grep ' g '|grep -F '.text'|awk '{print $$5 FS $$6}'|sort -%.o: %.c +%.o: %.c $(DEP) $(CC) $(COPTS) -c -o $@ $< -src/trace.o: src/trace.c +src/trace.o: src/trace.c $(DEP) $(CC) $(TRACE_COPTS) -c -o $@ $< -src/haproxy.o: src/haproxy.c +src/haproxy.o: src/haproxy.c $(DEP) $(CC) $(COPTS) \ -DBUILD_TARGET='"$(strip $(TARGET))"' \ -DBUILD_ARCH='"$(strip $(ARCH))"' \ @@ -787,12 +795,12 @@ -DBUILD_OPTIONS='"$(strip $(BUILD_OPTIONS))"' \ -c -o $@ $< -src/haproxy-systemd-wrapper.o: src/haproxy-systemd-wrapper.c +src/haproxy-systemd-wrapper.o: src/haproxy-systemd-wrapper.c $(DEP) $(CC) $(COPTS) \ -DSBINDIR='"$(strip $(SBINDIR))"' \ -c -o $@ $< -src/dlmalloc.o: $(DLMALLOC_SRC) +src/dlmalloc.o: $(DLMALLOC_SRC) $(DEP) $(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $< install-man: @@ -808,7 +816,13 @@ install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \ done -install-bin: haproxy $(EXTRA) +install-bin: + @for i in haproxy $(EXTRA); do \ + if ! [ -e "$$i" ]; then \ + echo "Please run 'make' before 'make install'."; \ + exit 1; \ + fi; \ + done install -d "$(DESTDIR)$(SBINDIR)" install haproxy $(EXTRA) "$(DESTDIR)$(SBINDIR)" @@ -824,7 +838,7 @@ rm -f "$(DESTDIR)$(SBINDIR)"/haproxy-systemd-wrapper clean: - rm -f *.[oas] src/*.[oas] ebtree/*.[oas] haproxy test + rm -f *.[oas] src/*.[oas] ebtree/*.[oas] haproxy test .build_opts .build_opts.new for dir in . src include/* doc ebtree; do rm -f $$dir/*~ $$dir/*.rej $$dir/core; done rm -f haproxy-$(VERSION).tar.gz haproxy-$(VERSION)$(SUBVERS).tar.gz rm -f haproxy-$(VERSION) haproxy-$(VERSION)$(SUBVERS) nohup.out gmon.out diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/README new/haproxy-1.6.7/README --- old/haproxy-1.6.5/README 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/README 2016-07-13 19:57:01.000000000 +0200 @@ -3,7 +3,7 @@ ---------------------- version 1.6 willy tarreau - 2016/05/10 + 2016/07/13 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/VERDATE new/haproxy-1.6.7/VERDATE --- old/haproxy-1.6.5/VERDATE 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/VERDATE 2016-07-13 19:57:01.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2016/05/10 +2016/07/13 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/VERSION new/haproxy-1.6.7/VERSION --- old/haproxy-1.6.5/VERSION 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/VERSION 2016-07-13 19:57:01.000000000 +0200 @@ -1 +1 @@ -1.6.5 +1.6.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/contrib/systemd/haproxy.service.in new/haproxy-1.6.7/contrib/systemd/haproxy.service.in --- old/haproxy-1.6.5/contrib/systemd/haproxy.service.in 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/contrib/systemd/haproxy.service.in 2016-07-13 19:57:01.000000000 +0200 @@ -3,8 +3,10 @@ After=network.target [Service] -ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q -ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid +Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" +ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q +ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE +ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/doc/configuration.txt new/haproxy-1.6.7/doc/configuration.txt --- old/haproxy-1.6.5/doc/configuration.txt 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/doc/configuration.txt 2016-07-13 19:57:01.000000000 +0200 @@ -4,7 +4,7 @@ ---------------------- version 1.6 willy tarreau - 2016/05/10 + 2016/07/13 This document covers the configuration language as implemented in the version @@ -3421,7 +3421,8 @@ See also : "option httpchk", "http-check disable-on-404" -http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> | +http-request { allow | tarpit | auth [realm <realm>] | redirect <rule> | + deny [deny_status <status>] | add-header <name> <fmt> | set-header <name> <fmt> | capture <sample> [ len <length> | id <id> ] | del-header <name> | set-nice <nice> | set-log-level <level> | @@ -3456,8 +3457,10 @@ pass the check. No further "http-request" rules are evaluated. - "deny" : this stops the evaluation of the rules and immediately rejects - the request and emits an HTTP 403 error. No further "http-request" rules - are evaluated. + the request and emits an HTTP 403 error, or optionally the status code + specified as an argument to "deny_status". The list of permitted status + codes is limited to those that can be overridden by the "errorfile" + directive. No further "http-request" rules are evaluated. - "tarpit" : this stops the evaluation of the rules and immediately blocks the request without responding for a delay specified by "timeout tarpit" @@ -13043,7 +13046,7 @@ that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). -ssl_fc_is_resumed: boolean +ssl_fc_is_resumed : boolean Returns true if the SSL/TLS session has been resumed through the use of SSL session cache or TLS tickets. @@ -13854,6 +13857,18 @@ and converts it to an integer value. This can be used for session stickiness based on a user ID for example, or with ACLs to match a page number or price. +url32 : integer + This returns a 32-bit hash of the value obtained by concatenating the first + Host header and the whole URL including parameters (not only the path part of + the request, as in the "base32" fetch above). This is useful to track per-URL + activity. A shorter hash is stored, saving a lot of memory. The output type + is an unsigned integer. + +url32+src : binary + This returns the concatenation of the "url32" fetch and the "src" fetch. The + resulting type is of type binary, with a size of 8 or 20 bytes depending on + the source address family. This can be used to track per-IP, per-URL counters. + 7.4. Pre-defined ACLs --------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/examples/haproxy.spec new/haproxy-1.6.7/examples/haproxy.spec --- old/haproxy-1.6.5/examples/haproxy.spec 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/examples/haproxy.spec 2016-07-13 19:57:01.000000000 +0200 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.6.5 +Version: 1.6.7 Release: 1 License: GPL Group: System Environment/Daemons @@ -74,6 +74,12 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Wed Jul 13 2016 Willy Tarreau <[email protected]> +- updated to 1.6.7 + +* Sun Jun 26 2016 Willy Tarreau <[email protected]> +- updated to 1.6.6 + * Tue May 10 2016 Willy Tarreau <[email protected]> - updated to 1.6.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/common/standard.h new/haproxy-1.6.7/include/common/standard.h --- old/haproxy-1.6.5/include/common/standard.h 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/include/common/standard.h 2016-07-13 19:57:01.000000000 +0200 @@ -813,10 +813,10 @@ } /* Return true if IPv4 address is part of the network */ -extern int in_net_ipv4(struct in_addr *addr, struct in_addr *mask, struct in_addr *net); +extern int in_net_ipv4(const void *addr, const struct in_addr *mask, const struct in_addr *net); /* Return true if IPv6 address is part of the network */ -extern int in_net_ipv6(struct in6_addr *addr, struct in6_addr *mask, struct in6_addr *net); +extern int in_net_ipv6(const void *addr, const struct in6_addr *mask, const struct in6_addr *net); /* Map IPv4 adress on IPv6 address, as specified in RFC 3513. */ extern void v4tov6(struct in6_addr *sin6_addr, struct in_addr *sin_addr); @@ -1009,8 +1009,7 @@ * the whole code is optimized out. In little endian, with a decent compiler, * a few bswap and 2 shifts are left, which is the minimum acceptable. */ -#ifndef htonll -static inline unsigned long long htonll(unsigned long long a) +static inline unsigned long long my_htonll(unsigned long long a) { union { struct { @@ -1021,15 +1020,12 @@ } w = { .by64 = a }; return ((unsigned long long)htonl(w.by32.w1) << 32) | htonl(w.by32.w2); } -#endif /* Turns 64-bit value <a> from network byte order to host byte order. */ -#ifndef ntohll -static inline unsigned long long ntohll(unsigned long long a) +static inline unsigned long long my_ntohll(unsigned long long a) { - return htonll(a); + return my_htonll(a); } -#endif /* returns a 64-bit a timestamp with the finest resolution available. The * unit is intentionally not specified. It's mostly used to compare dates. @@ -1050,4 +1046,23 @@ } #endif +/* append a copy of string <str> (in a wordlist) at the end of the list <li> + * On failure : return 0 and <err> filled with an error message. + * The caller is responsible for freeing the <err> and <str> copy + * memory area using free() + */ +struct list; +int list_append_word(struct list *li, const char *str, char **err); + +/* same as realloc() except that ptr is also freed upon failure */ +static inline void *my_realloc2(void *ptr, size_t size) +{ + void *ret; + + ret = realloc(ptr, size); + if (!ret && size) + free(ptr); + return ret; +} + #endif /* _COMMON_STANDARD_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/proto/proto_http.h new/haproxy-1.6.7/include/proto/proto_http.h --- old/haproxy-1.6.5/include/proto/proto_http.h 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/include/proto/proto_http.h 2016-07-13 19:57:01.000000000 +0200 @@ -110,7 +110,7 @@ int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name, unsigned int name_len, const char *str, struct my_regex *re, int action); -void inet_set_tos(int fd, struct sockaddr_storage from, int tos); +void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos); void http_perform_server_redirect(struct stream *s, struct stream_interface *si); void http_return_srv_error(struct stream *s, struct stream_interface *si); void http_capture_bad_message(struct error_snapshot *es, struct stream *s, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/types/dns.h new/haproxy-1.6.7/include/types/dns.h --- old/haproxy-1.6.5/include/types/dns.h 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/include/types/dns.h 2016-07-13 19:57:01.000000000 +0200 @@ -57,22 +57,13 @@ /* DNS request or response header structure */ struct dns_header { - unsigned short id:16; /* identifier */ - unsigned char qr :1; /* query/response 0: query, 1: response */ - unsigned char opcode :4; /* operation code */ - unsigned char aa :1; /* authoritative answer 0: no, 1: yes */ - unsigned char tc :1; /* truncation 0:no, 1: yes */ - unsigned char rd :1; /* recursion desired 0: no, 1: yes */ - unsigned char ra :1; /* recursion available 0: no, 1: yes */ - unsigned char z :1; /* not used */ - unsigned char ad :1; /* authentic data */ - unsigned char cd :1; /* checking disabled */ - unsigned char rcode :4; /* response code */ - unsigned short qdcount :16; /* question count */ - unsigned short ancount :16; /* answer count */ - unsigned short nscount :16; /* authority count */ - unsigned short arcount :16; /* additional count */ -}; + uint16_t id; + uint16_t flags; + uint16_t qdcount; + uint16_t ancount; + uint16_t nscount; + uint16_t arcount; +} __attribute__ ((packed)); /* short structure to describe a DNS question */ struct dns_question { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/types/proto_http.h new/haproxy-1.6.7/include/types/proto_http.h --- old/haproxy-1.6.5/include/types/proto_http.h 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/include/types/proto_http.h 2016-07-13 19:57:01.000000000 +0200 @@ -362,7 +362,6 @@ unsigned int flags; /* transaction flags */ enum http_meth_t meth; /* HTTP method */ /* 1 unused byte here */ - short rule_deny_status; /* HTTP status from rule when denying */ short status; /* HTTP status from the server, negative if from proxy */ char *uri; /* first line if log needed, NULL otherwise */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/cfgparse.c new/haproxy-1.6.7/src/cfgparse.c --- old/haproxy-1.6.5/src/cfgparse.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/cfgparse.c 2016-07-13 19:57:01.000000000 +0200 @@ -285,7 +285,7 @@ } /* OK the address looks correct */ - ss = *ss2; + memcpy(&ss, ss2, sizeof(ss)); for (; port <= end; port++) { l = (struct listener *)calloc(1, sizeof(struct listener)); @@ -296,7 +296,7 @@ l->bind_conf = bind_conf; l->fd = fd; - l->addr = ss; + memcpy(&l->addr, &ss, sizeof(ss)); l->xprt = &raw_sock; l->state = LI_INIT; @@ -1580,10 +1580,10 @@ if (logsrv->maxlen > global.max_syslog_len) { global.max_syslog_len = logsrv->maxlen; - logheader = realloc(logheader, global.max_syslog_len + 1); - logheader_rfc5424 = realloc(logheader_rfc5424, global.max_syslog_len + 1); - logline = realloc(logline, global.max_syslog_len + 1); - logline_rfc5424 = realloc(logline_rfc5424, global.max_syslog_len + 1); + logheader = my_realloc2(logheader, global.max_syslog_len + 1); + logheader_rfc5424 = my_realloc2(logheader_rfc5424, global.max_syslog_len + 1); + logline = my_realloc2(logline, global.max_syslog_len + 1); + logline_rfc5424 = my_realloc2(logline_rfc5424, global.max_syslog_len + 1); } /* after the length, a format may be specified */ @@ -5945,10 +5945,10 @@ if (logsrv->maxlen > global.max_syslog_len) { global.max_syslog_len = logsrv->maxlen; - logheader = realloc(logheader, global.max_syslog_len + 1); - logheader_rfc5424 = realloc(logheader_rfc5424, global.max_syslog_len + 1); - logline = realloc(logline, global.max_syslog_len + 1); - logline_rfc5424 = realloc(logline_rfc5424, global.max_syslog_len + 1); + logheader = my_realloc2(logheader, global.max_syslog_len + 1); + logheader_rfc5424 = my_realloc2(logheader_rfc5424, global.max_syslog_len + 1); + logline = my_realloc2(logline, global.max_syslog_len + 1); + logline_rfc5424 = my_realloc2(logline_rfc5424, global.max_syslog_len + 1); } /* after the length, a format may be specified */ @@ -8728,6 +8728,7 @@ if(bind_conf->keys_ref) { free(bind_conf->keys_ref->filename); free(bind_conf->keys_ref->tlskeys); + LIST_DEL(&bind_conf->keys_ref->list); free(bind_conf->keys_ref); } #endif /* USE_OPENSSL */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/checks.c new/haproxy-1.6.7/src/checks.c --- old/haproxy-1.6.5/src/checks.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/checks.c 2016-07-13 19:57:01.000000000 +0200 @@ -58,6 +58,7 @@ #include <proto/proxy.h> #include <proto/raw_sock.h> #include <proto/server.h> +#include <proto/signal.h> #include <proto/stream_interface.h> #include <proto/task.h> #include <proto/log.h> @@ -1521,14 +1522,15 @@ sigset_t set; sigemptyset(&set); sigaddset(&set, SIGCHLD); - assert(sigprocmask(SIG_SETMASK, &set, NULL) == 0); + assert(sigprocmask(SIG_BLOCK, &set, NULL) == 0); } void unblock_sigchld(void) { sigset_t set; sigemptyset(&set); - assert(sigprocmask(SIG_SETMASK, &set, NULL) == 0); + sigaddset(&set, SIGCHLD); + assert(sigprocmask(SIG_UNBLOCK, &set, NULL) == 0); } /* Call with SIGCHLD blocked */ @@ -1584,25 +1586,22 @@ } } -static void sigchld_handler(int signal) +static void sigchld_handler(struct sig_handler *sh) { pid_t pid; int status; + while ((pid = waitpid(0, &status, WNOHANG)) > 0) pid_list_expire(pid, status); } -static int init_pid_list(void) { - struct sigaction action = { - .sa_handler = sigchld_handler, - .sa_flags = SA_NOCLDSTOP - }; - +static int init_pid_list(void) +{ if (pool2_pid_list != NULL) /* Nothing to do */ return 0; - if (sigaction(SIGCHLD, &action, NULL)) { + if (!signal_register_fct(SIGCHLD, sigchld_handler, SIGCHLD)) { Alert("Failed to set signal handler for external health checks: %s. Aborting.\n", strerror(errno)); return 1; @@ -1817,6 +1816,14 @@ if (pid == 0) { /* Child */ extern char **environ; + int fd; + + /* close all FDs. Keep stdin/stdout/stderr in verbose mode */ + fd = (global.mode & (MODE_QUIET|MODE_VERBOSE)) == MODE_QUIET ? 0 : 3; + + while (fd < global.rlimit_nofile) + close(fd++); + environ = check->envp; extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf))); execvp(px->check_command, check->argv); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/chunk.c new/haproxy-1.6.7/src/chunk.c --- old/haproxy-1.6.5/src/chunk.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/chunk.c 2016-07-13 19:57:01.000000000 +0200 @@ -17,6 +17,7 @@ #include <common/config.h> #include <common/chunk.h> +#include <common/standard.h> /* trash chunks used for various conversions */ static struct chunk *trash_chunk; @@ -60,8 +61,8 @@ int alloc_trash_buffers(int bufsize) { trash_size = bufsize; - trash_buf1 = (char *)realloc(trash_buf1, bufsize); - trash_buf2 = (char *)realloc(trash_buf2, bufsize); + trash_buf1 = (char *)my_realloc2(trash_buf1, bufsize); + trash_buf2 = (char *)my_realloc2(trash_buf2, bufsize); return trash_buf1 && trash_buf2; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/connection.c new/haproxy-1.6.7/src/connection.c --- old/haproxy-1.6.5/src/connection.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/connection.c 2016-07-13 19:57:01.000000000 +0200 @@ -385,7 +385,7 @@ if (trash.len < 9) /* shortest possible line */ goto missing; - if (!memcmp(line, "TCP4 ", 5) != 0) { + if (memcmp(line, "TCP4 ", 5) == 0) { u32 src3, dst3, sport, dport; line += 5; @@ -426,7 +426,7 @@ ((struct sockaddr_in *)&conn->addr.to)->sin_port = htons(dport); conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; } - else if (!memcmp(line, "TCP6 ", 5) != 0) { + else if (memcmp(line, "TCP6 ", 5) == 0) { u32 sport, dport; char *src_s; char *dst_s, *sport_s, *dport_s; @@ -744,7 +744,7 @@ const char pp2_signature[] = PP2_SIGNATURE; int ret = 0; struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf; - struct sockaddr_storage null_addr = {0}; + struct sockaddr_storage null_addr = { .ss_family = 0 }; struct sockaddr_storage *src = &null_addr; struct sockaddr_storage *dst = &null_addr; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/dns.c new/haproxy-1.6.7/src/dns.c --- old/haproxy-1.6.5/src/dns.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/dns.c 2016-07-13 19:57:01.000000000 +0200 @@ -677,8 +677,7 @@ switch (type) { case DNS_RTYPE_A: /* check if current reccord's IP is the same as server one's */ - if ((currentip_sin_family == AF_INET) - && (*(uint32_t *)reader == *(uint32_t *)currentip)) { + if ((currentip_sin_family == AF_INET) && memcmp(reader, currentip, 4) == 0) { currentip_found = 1; newip4 = reader; /* we can stop now if server's family preference is IPv4 @@ -917,14 +916,7 @@ /* set dns query headers */ dns = (struct dns_header *)ptr; dns->id = (unsigned short) htons(query_id); - dns->qr = 0; /* query */ - dns->opcode = 0; - dns->aa = 0; - dns->tc = 0; - dns->rd = 1; /* recursion desired */ - dns->ra = 0; - dns->z = 0; - dns->rcode = 0; + dns->flags = htons(0x0100); /* qr=0, opcode=0, aa=0, tc=0, rd=1, ra=0, z=0, rcode=0 */ dns->qdcount = htons(1); /* 1 question */ dns->ancount = 0; dns->nscount = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/dumpstats.c new/haproxy-1.6.7/src/dumpstats.c --- old/haproxy-1.6.5/src/dumpstats.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/dumpstats.c 2016-07-13 19:57:01.000000000 +0200 @@ -2755,6 +2755,9 @@ if (appctx->ctx.server_state.px->bind_proc && !(appctx->ctx.server_state.px->bind_proc & (1UL << (relative_pid - 1)))) return 1; + if (!appctx->ctx.server_state.sv) + appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv; + for (; appctx->ctx.server_state.sv != NULL; appctx->ctx.server_state.sv = srv->next) { srv = appctx->ctx.server_state.sv; srv_addr[0] = '\0'; @@ -2846,19 +2849,24 @@ chunk_reset(&trash); - if (!appctx->ctx.server_state.px) { + if (appctx->st2 == STAT_ST_INIT) { + if (!appctx->ctx.server_state.px) + appctx->ctx.server_state.px = proxy; + appctx->st2 = STAT_ST_HEAD; + } + + if (appctx->st2 == STAT_ST_HEAD) { chunk_printf(&trash, "%d\n# %s\n", SRV_STATE_FILE_VERSION, SRV_STATE_FILE_FIELD_NAMES); if (bi_putchk(si_ic(si), &trash) == -1) { si_applet_cant_put(si); return 0; } - appctx->ctx.server_state.px = proxy; + appctx->st2 = STAT_ST_INFO; } + /* STAT_ST_INFO */ for (; appctx->ctx.server_state.px != NULL; appctx->ctx.server_state.px = curproxy->next) { curproxy = appctx->ctx.server_state.px; - if (!appctx->ctx.server_state.sv) - appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv; /* servers are only in backends */ if (curproxy->cap & PR_CAP_BE) { if (!dump_servers_state(si, &trash)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/haproxy.c new/haproxy-1.6.7/src/haproxy.c --- old/haproxy-1.6.5/src/haproxy.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/haproxy.c 2016-07-13 19:57:01.000000000 +0200 @@ -1650,7 +1650,14 @@ if (global.rlimit_nofile) { limit.rlim_cur = limit.rlim_max = global.rlimit_nofile; if (setrlimit(RLIMIT_NOFILE, &limit) == -1) { - Warning("[%s.main()] Cannot raise FD limit to %d.\n", argv[0], global.rlimit_nofile); + /* try to set it to the max possible at least */ + getrlimit(RLIMIT_NOFILE, &limit); + limit.rlim_cur = limit.rlim_max; + if (setrlimit(RLIMIT_NOFILE, &limit) != -1) + getrlimit(RLIMIT_NOFILE, &limit); + + Warning("[%s.main()] Cannot raise FD limit to %d, limit is %d.\n", argv[0], global.rlimit_nofile, (int)limit.rlim_cur); + global.rlimit_nofile = limit.rlim_cur; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/hlua.c new/haproxy-1.6.7/src/hlua.c --- old/haproxy-1.6.5/src/hlua.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/hlua.c 2016-07-13 19:57:01.000000000 +0200 @@ -4790,7 +4790,7 @@ tos = MAY_LJMP(luaL_checkinteger(L, 2)); if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn)) - inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos); + inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos); return 0; } @@ -5167,7 +5167,7 @@ return 0; } hlua_smp2lua(stream->hlua.T, smp); - stream->hlua.nargs = 2; + stream->hlua.nargs = 1; /* push keywords in the stack. */ if (arg_p) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/proto_http.c new/haproxy-1.6.7/src/proto_http.c --- old/haproxy-1.6.5/src/proto_http.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/proto_http.c 2016-07-13 19:57:01.000000000 +0200 @@ -3403,15 +3403,15 @@ /* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets * (as per RFC3260 #4 and BCP37 #4.2 and #5.2). */ -void inet_set_tos(int fd, struct sockaddr_storage from, int tos) +void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos) { #ifdef IP_TOS - if (from.ss_family == AF_INET) + if (from->ss_family == AF_INET) setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)); #endif #ifdef IPV6_TCLASS - if (from.ss_family == AF_INET6) { - if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr)) + if (from->ss_family == AF_INET6) { + if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr)) /* v4-mapped addresses need IP_TOS */ setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)); else @@ -3490,10 +3490,12 @@ * further processing of the request (auth, deny, ...), and defaults to * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT - * on txn->flags if it encounters a tarpit rule. + * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL + * and a deny/tarpit rule is matched, it will be filled with this rule's deny + * status. */ enum rule_result -http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s) +http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status) { struct session *sess = strm_sess(s); struct http_txn *txn = s->txn; @@ -3502,6 +3504,7 @@ struct hdr_ctx ctx; const char *auth_realm; int act_flags = 0; + int len; /* If "the current_rule_list" match the executed rule list, we are in * resume condition. If a resume is needed it is always in the action @@ -3539,12 +3542,14 @@ return HTTP_RULE_RES_STOP; case ACT_ACTION_DENY: - txn->rule_deny_status = rule->deny_status; + if (deny_status) + *deny_status = rule->deny_status; return HTTP_RULE_RES_DENY; case ACT_HTTP_REQ_TARPIT: txn->flags |= TX_CLTARPIT; - txn->rule_deny_status = rule->deny_status; + if (deny_status) + *deny_status = rule->deny_status; return HTTP_RULE_RES_DENY; case ACT_HTTP_REQ_AUTH: @@ -3577,7 +3582,7 @@ case ACT_HTTP_SET_TOS: if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn)) - inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos); + inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos); break; case ACT_HTTP_SET_MARK: @@ -3611,12 +3616,18 @@ case ACT_HTTP_SET_HDR: case ACT_HTTP_ADD_HDR: - chunk_printf(&trash, "%s: ", rule->arg.hdr_add.name); + /* The scope of the trash buffer must be limited to this function. The + * build_logline() function can execute a lot of other function which + * can use the trash buffer. So for limiting the scope of this global + * buffer, we build first the header value using build_logline, and + * after we store the header name. + */ + len = rule->arg.hdr_add.name_len + 2, + len += build_logline(s, trash.str + len, trash.size - len, &rule->arg.hdr_add.fmt); memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len); - trash.len = rule->arg.hdr_add.name_len; - trash.str[trash.len++] = ':'; - trash.str[trash.len++] = ' '; - trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt); + trash.str[rule->arg.hdr_add.name_len] = ':'; + trash.str[rule->arg.hdr_add.name_len + 1] = ' '; + trash.len = len; if (rule->action == ACT_HTTP_SET_HDR) { /* remove all occurrences of the header */ @@ -3860,7 +3871,7 @@ case ACT_HTTP_SET_TOS: if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn)) - inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos); + inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos); break; case ACT_HTTP_SET_MARK: @@ -4303,6 +4314,7 @@ struct redirect_rule *rule; struct cond_wordlist *wl; enum rule_result verdict; + int deny_status = HTTP_ERR_403; if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { /* we need more data */ @@ -4323,7 +4335,7 @@ /* evaluate http-request rules */ if (!LIST_ISEMPTY(&px->http_req_rules)) { - verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s); + verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status); switch (verdict) { case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */ @@ -4369,7 +4381,7 @@ /* parse the whole stats request and extract the relevant information */ http_handle_stats(s, req); - verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s); + verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status); /* not all actions implemented: deny, allow, auth */ if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */ @@ -4500,9 +4512,9 @@ manage_client_side_cookies(s, req); txn->flags |= TX_CLDENY; - txn->status = http_err_codes[txn->rule_deny_status]; + txn->status = http_err_codes[deny_status]; s->logs.tv_request = now; - stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status)); + stream_int_retnclose(&s->si[0], http_error_message(s, deny_status)); stream_inc_http_err_ctr(s); sess->fe->fe_counters.denied_req++; if (sess->fe != s->be) @@ -9641,7 +9653,7 @@ } if (strcmp(args[cur_arg], "silent") == 0) rule->arg.loglevel = -1; - else if ((rule->arg.loglevel = get_log_level(args[cur_arg] + 1)) == 0) + else if ((rule->arg.loglevel = get_log_level(args[cur_arg]) + 1) == 0) goto bad_log_level; cur_arg++; } else if (strcmp(args[0], "add-header") == 0 || strcmp(args[0], "set-header") == 0) { @@ -11938,17 +11950,16 @@ { struct chunk *temp; struct connection *cli_conn = objt_conn(smp->sess->origin); - unsigned int hash; - if (!smp_fetch_url32(args, smp, kw, private)) + if (!cli_conn) return 0; - /* The returned hash is a 32 bytes integer. */ - hash = smp->data.u.sint; + if (!smp_fetch_url32(args, smp, kw, private)) + return 0; temp = get_trash_chunk(); - memcpy(temp->str + temp->len, &hash, sizeof(hash)); - temp->len += sizeof(hash); + *(unsigned int *)temp->str = htonl(smp->data.u.sint); + temp->len += sizeof(unsigned int); switch (cli_conn->addr.from.ss_family) { case AF_INET: @@ -12803,7 +12814,7 @@ break; if (cur_arg < *orig_arg + 3) { - memprintf(err, "expects <expression> [ 'len' <length> | id <idx> ]"); + memprintf(err, "expects <expression> id <idx>"); return ACT_RET_PRS_ERR; } @@ -12821,7 +12832,7 @@ } if (!args[cur_arg] || !*args[cur_arg]) { - memprintf(err, "expects 'len or 'id'"); + memprintf(err, "expects 'id'"); free(expr); return ACT_RET_PRS_ERR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/proto_tcp.c new/haproxy-1.6.7/src/proto_tcp.c --- old/haproxy-1.6.5/src/proto_tcp.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/proto_tcp.c 2016-07-13 19:57:01.000000000 +0200 @@ -435,7 +435,7 @@ struct sockaddr_storage sa; ret = 1; - sa = src->source_addr; + memcpy(&sa, &src->source_addr, sizeof(sa)); do { /* note: in case of retry, we may have to release a previously diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/sample.c new/haproxy-1.6.7/src/sample.c --- old/haproxy-1.6.5/src/sample.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/sample.c 2016-07-13 19:57:01.000000000 +0200 @@ -765,7 +765,7 @@ { struct chunk *chk = get_trash_chunk(); - *(unsigned long long int *)chk->str = htonll(smp->data.u.sint); + *(unsigned long long int *)chk->str = my_htonll(smp->data.u.sint); chk->len = 8; smp->data.u.str = *chk; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/server.c new/haproxy-1.6.7/src/server.c --- old/haproxy-1.6.5/src/server.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/server.c 2016-07-13 19:57:01.000000000 +0200 @@ -2532,7 +2532,7 @@ /* save the new IP address */ switch (ip_sin_family) { case AF_INET: - ((struct sockaddr_in *)&s->addr)->sin_addr.s_addr = *(uint32_t *)ip; + memcpy(&((struct sockaddr_in *)&s->addr)->sin_addr.s_addr, ip, 4); break; case AF_INET6: memcpy(((struct sockaddr_in6 *)&s->addr)->sin6_addr.s6_addr, ip, 16); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/ssl_sock.c new/haproxy-1.6.7/src/ssl_sock.c --- old/haproxy-1.6.5/src/ssl_sock.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/ssl_sock.c 2016-07-13 19:57:01.000000000 +0200 @@ -4782,6 +4782,7 @@ if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) { if (err) memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1); + fclose(f); return ERR_ALERT | ERR_FATAL; } i++; @@ -4790,6 +4791,7 @@ if (i < TLS_TICKETS_NO) { if (err) memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO); + fclose(f); return ERR_ALERT | ERR_FATAL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/standard.c new/haproxy-1.6.7/src/standard.c --- old/haproxy-1.6.5/src/standard.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/standard.c 2016-07-13 19:57:01.000000000 +0200 @@ -2307,22 +2307,29 @@ } /* Return non-zero if IPv4 address is part of the network, - * otherwise zero. + * otherwise zero. Note that <addr> may not necessarily be aligned + * while the two other ones must. */ -int in_net_ipv4(struct in_addr *addr, struct in_addr *mask, struct in_addr *net) +int in_net_ipv4(const void *addr, const struct in_addr *mask, const struct in_addr *net) { - return((addr->s_addr & mask->s_addr) == (net->s_addr & mask->s_addr)); + struct in_addr addr_copy; + + memcpy(&addr_copy, addr, sizeof(addr_copy)); + return((addr_copy.s_addr & mask->s_addr) == (net->s_addr & mask->s_addr)); } /* Return non-zero if IPv6 address is part of the network, - * otherwise zero. + * otherwise zero. Note that <addr> may not necessarily be aligned + * while the two other ones must. */ -int in_net_ipv6(struct in6_addr *addr, struct in6_addr *mask, struct in6_addr *net) +int in_net_ipv6(const void *addr, const struct in6_addr *mask, const struct in6_addr *net) { int i; + struct in6_addr addr_copy; + memcpy(&addr_copy, addr, sizeof(addr_copy)); for (i = 0; i < sizeof(struct in6_addr) / sizeof(int); i++) - if (((((int *)addr)[i] & ((int *)mask)[i])) != + if (((((int *)&addr_copy)[i] & ((int *)mask)[i])) != (((int *)net)[i] & ((int *)mask)[i])) return 0; return 1; @@ -2622,7 +2629,7 @@ } allocated = needed + 1; - ret = realloc(ret, allocated); + ret = my_realloc2(ret, allocated); } while (ret); if (needed < 0) { @@ -2770,7 +2777,7 @@ val_len = value ? strlen(value) : 0; } - out = realloc(out, out_len + (txt_end - txt_beg) + val_len + 1); + out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1); if (txt_end > txt_beg) { memcpy(out + out_len, txt_beg, txt_end - txt_beg); out_len += txt_end - txt_beg; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/stick_table.c new/haproxy-1.6.7/src/stick_table.c --- old/haproxy-1.6.5/src/stick_table.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/stick_table.c 2016-07-13 19:57:01.000000000 +0200 @@ -461,6 +461,8 @@ } /* Prepares a stktable_key from a sample <smp> to search into table <t>. + * Note that the sample *is* modified and that the returned key may point + * to it, so the sample must not be modified afterwards before the lookup. * Returns NULL if the sample could not be converted (eg: no matching type), * otherwise a pointer to the static stktable_key filled with what is needed * for the lookup. @@ -700,11 +702,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -736,11 +739,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -771,11 +775,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -806,11 +811,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -842,11 +848,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -878,11 +885,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -913,11 +921,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -948,11 +957,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -984,11 +994,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1019,11 +1030,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1055,11 +1067,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1090,11 +1103,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1126,11 +1140,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1161,11 +1176,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1196,11 +1212,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1231,11 +1248,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1266,11 +1284,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (!ts) /* key not present */ return 1; @@ -1301,11 +1320,12 @@ if (!key) return 0; + ts = stktable_lookup_key(t, key); + smp->flags = SMP_F_VOL_TEST; smp->data.type = SMP_T_SINT; smp->data.u.sint = 0; - ts = stktable_lookup_key(t, key); if (ts) smp->data.u.sint = ts->ref_cnt; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/stream.c new/haproxy-1.6.7/src/stream.c --- old/haproxy-1.6.5/src/stream.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/stream.c 2016-07-13 19:57:01.000000000 +0200 @@ -2855,7 +2855,7 @@ if (stkctr_entry(stkctr) == NULL) stkctr = smp_create_src_stkctr(smp->sess, smp->strm, args, kw); - if (stkctr_entry(stkctr) != NULL) { + if (stkctr && stkctr_entry(stkctr)) { void *ptr1,*ptr2; /* First, update gpc0_rate if it's tracked. Second, update its diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/vars.c new/haproxy-1.6.7/src/vars.c --- old/haproxy-1.6.5/src/vars.c 2016-05-10 15:42:00.000000000 +0200 +++ new/haproxy-1.6.7/src/vars.c 2016-07-13 19:57:01.000000000 +0200 @@ -151,6 +151,7 @@ static char *register_name(const char *name, int len, enum vars_scope *scope, char **err) { int i; + char **var_names2; const char *tmp; /* Check length. */ @@ -191,13 +192,14 @@ if (strncmp(var_names[i], name, len) == 0) return var_names[i]; - /* Store variable name. */ - var_names_nb++; - var_names = realloc(var_names, var_names_nb * sizeof(*var_names)); - if (!var_names) { + /* Store variable name. If realloc fails, var_names remains valid */ + var_names2 = realloc(var_names, (var_names_nb + 1) * sizeof(*var_names)); + if (!var_names2) { memprintf(err, "out of memory error"); return NULL; } + var_names_nb++; + var_names = var_names2; var_names[var_names_nb - 1] = malloc(len + 1); if (!var_names[var_names_nb - 1]) { memprintf(err, "out of memory error");
