Hi all, Here's an important update for 1.4 and 1.5, please read it, it contains an important security fix.
When a config makes use of hdr_ip(x-forwarded-for,-1) or any such thing involving a negative occurrence count, the header is still parsed in the order it appears, and an array of up to MAX_HDR_HISTORY entries is created. When more entries are used, the entries simply wrap and continue this way. A problem happens when the incoming header field count exactly divides MAX_HDR_HISTORY, because the computation removes the number of requested occurrences from the count, but does not care about the risk of wrapping with a negative number. Thus we can dereference the array with a negative number and randomly crash the process. The bug is located in http_get_hdr() in haproxy 1.5, and get_ip_from_hdr2() in haproxy 1.4. It affects configurations making use of one of the following functions with a negative <value> occurence number : - hdr_ip(<name>, <value>) (in 1.4) - hdr_*(<name>, <value>) (in 1.5) It also affects "source" statements involving "hdr_ip(<name>)" since that statement implicitly uses -1 for <value> : - source 0.0.0.0 usesrc hdr_ip(<name>) A workaround consists in rejecting dangerous requests early using hdr_cnt(<name>), which is available both in 1.4 and 1.5 : block if { hdr_cnt(<name>) ge 10 } This bug has been present since the introduction of the negative offset count in 1.4.4 via commit bce70882. It has been reported by David Torgerson who offered some debugging traces showing where the crash happened, thus making it significantly easier to find the bug! CVE-2013-2175 was assigned to this bug. For those who want to quickly deploy a fix, please use this patch for 1.5, it also applies to 1.4 : http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=67dad2715b 1.4.24 has only two other fixes from 1.4.23 : - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used - BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances For 1.5, no less than 28 bugs were fixed since 1.5-dev18, but as usual, either you were not affected by them or were already using a more recent snapshot :-) Bugs apart, 1.5 has received long-awaited updates, among which : - error reporting for acl/fetch was improved, log-format can now indicate where a bad keyword was detected ; - the stats page allow the output to be filtered to certain proxies only - transparent proxy is now supported on FreeBSD/OpenBSD - new ACL fetch full_hdr() works on a full header line, as opposed to hdr() which works on a comma-delimited list of values. This is useful with some new user-agents which include commas and could not be matched ; - health-checks try to drain server response first to avoid to emit a TCP reset whenever possible ; - new "http-response" rule sets allows some processing to be performed based on the response (eg: add/set header) ; - new actions for http-request/http-response : + set-nice : change the task's priority : allows high-bandwidth, low importance tasks to be deprioritized (useful for compression as well) ; + set-log-level : change the log level of current request, with possibility to completely disable it (eg: log POSTs with higher severity or stop logging statics, etc...) ; + set-tos : set the DSCP field of outgoing packets to the specified value. Can be useful to route certain responses over different links ; + set-mark : set a netfilter mark on all outgoing packets to the specified value. Can be used as an alternative to DSCP above, or to blacklist some IPs (when combined with ipset for example) ; - new action "expect-proxy layer4" for "tcp-request connection". This allows the PROXY protocol to be conditionally enabled on incoming connections. For example, when you rely on an external haproxy farm whose addresses are known, the PROXY protocol can be enabled just for them. - a new "env()" fetch keyword was added to retrieve an environment variable. This allows a same config to be used in various modes by just changing an environment variable during a reload (eg: prod/maint). Other usages include passing the Via header to servers. - stick-counters have been increased to 3 (sc0, sc1, sc2), because most often when combining to criteria, it was not possible to have both 1, 2 and 1+2 at the same time. - ACL usage simplification : fetch methods of types boolean, integer or IP address are automatically usable in ACLs without having to specify "-m $type". This permitted to significantly clean the code by removing many double references to same keywords. Contributors will probably appreciated. - the ACL/fetch doc experienced a major lift up to avoid referencing the same keywords twice. It was by far the hardest change of this whole version! I receive about twice a week a question asking "when will 1.5 become stable ?". We're still focusing primarily on this task, but the changes introduced in last september had a lot of impact and were not trivial to fix. Server-side keep-alive is still the condition to switch to 1.5-stable. In the mean time, some issues with buffer management still need to be adressed in order to be able to fix compression (which is disabled for chunked encoding right now). Another big deal is to propagate the process binding to listeners to fix some issues with peers and stats socket in multi-process mode. I already have patches for this but they're broken, dependencies are too deep and they need to be redesigned. The rest is not very important and can be postponed. It seems reasonable to think about 1.5-stable by the end of the summer, so all in all it's as always "in 3 months"... The good thing is that I'm getting more time dedicated to this task at Exceliance, so this never-ending promise might become true. Usual links below : Site index : http://haproxy.1wt.eu/ Sources (1.4) : http://haproxy.1wt.eu/download/1.4/src/ Changelog (1.4) : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG Sources (1.5) : http://haproxy.1wt.eu/download/1.5/src/devel/ Changelog (1.5) : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html Do not forget to upgrade or patch, Willy