Date: Tuesday, June 28, 2016 @ 10:12:25 Author: demize Revision: 181487
Drop old patches Deleted: haproxy/trunk/CVE-2016-5360-reqdeny.patch haproxy/trunk/gcc6-fix.patch -----------------------------+ CVE-2016-5360-reqdeny.patch | 117 ------------------------------------------ gcc6-fix.patch | 107 -------------------------------------- 2 files changed, 224 deletions(-) Deleted: CVE-2016-5360-reqdeny.patch =================================================================== --- CVE-2016-5360-reqdeny.patch 2016-06-28 10:05:44 UTC (rev 181486) +++ CVE-2016-5360-reqdeny.patch 2016-06-28 10:12:25 UTC (rev 181487) @@ -1,117 +0,0 @@ -From: Willy Tarreau <[email protected]> -Date: Wed, 25 May 2016 14:23:59 +0000 (+0200) -Subject: BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes -X-Git-Url: http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff_plain;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b;hp=0c60f3790d6f177f123d4ae63d5f17868c789d12 - -BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes - -Commit 108b1dd ("MEDIUM: http: configurable http result codes for -http-request deny") introduced in 1.6-dev2 was incomplete. It introduced -a new field "rule_deny_status" into struct http_txn, which is filled only -by actions "http-request deny" and "http-request tarpit". It's then used -in the deny code path to emit the proper error message, but is used -uninitialized when the deny comes from a "reqdeny" rule, causing random -behaviours ranging from returning a 200, an empty response, or crashing -the process. Often upon startup only 200 was returned but after the fields -are used the crash happens. This can be sped up using -dM. - -There's no need at all for storing this status in the http_txn struct -anyway since it's used immediately after being set. Let's store it in -a temporary variable instead which is passed as an argument to function -http_req_get_intercept_rule(). - -As an extra benefit, removing it from struct http_txn reduced the size -of this struct by 8 bytes. - -This fix must be backported to 1.6 where the bug was detected. Special -thanks to Falco Schmutz for his detailed report including an exploitable -core and a reproducer. -(cherry picked from commit 58727ec088e55f739b146cff3baa955f8d1b2a3e) ---- - -diff --git a/include/types/proto_http.h b/include/types/proto_http.h -index e5e9667..c3a73ef 100644 ---- a/include/types/proto_http.h -+++ b/include/types/proto_http.h -@@ -362,7 +362,6 @@ struct http_txn { - unsigned int flags; /* transaction flags */ - enum http_meth_t meth; /* HTTP method */ - /* 1 unused byte here */ -- short rule_deny_status; /* HTTP status from rule when denying */ - short status; /* HTTP status from the server, negative if from proxy */ - - char *uri; /* first line if log needed, NULL otherwise */ -diff --git a/src/proto_http.c b/src/proto_http.c -index 59cd5d2..6eac62b 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -3490,10 +3490,12 @@ static int http_transform_header(struct stream* s, struct http_msg *msg, - * further processing of the request (auth, deny, ...), and defaults to - * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or - * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT -- * on txn->flags if it encounters a tarpit rule. -+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL -+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny -+ * status. - */ - enum rule_result --http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s) -+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status) - { - struct session *sess = strm_sess(s); - struct http_txn *txn = s->txn; -@@ -3539,12 +3541,14 @@ resume_execution: - return HTTP_RULE_RES_STOP; - - case ACT_ACTION_DENY: -- txn->rule_deny_status = rule->deny_status; -+ if (deny_status) -+ *deny_status = rule->deny_status; - return HTTP_RULE_RES_DENY; - - case ACT_HTTP_REQ_TARPIT: - txn->flags |= TX_CLTARPIT; -- txn->rule_deny_status = rule->deny_status; -+ if (deny_status) -+ *deny_status = rule->deny_status; - return HTTP_RULE_RES_DENY; - - case ACT_HTTP_REQ_AUTH: -@@ -4303,6 +4307,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s - struct redirect_rule *rule; - struct cond_wordlist *wl; - enum rule_result verdict; -+ int deny_status = HTTP_ERR_403; - - if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { - /* we need more data */ -@@ -4323,7 +4328,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s - - /* evaluate http-request rules */ - if (!LIST_ISEMPTY(&px->http_req_rules)) { -- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s); -+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status); - - switch (verdict) { - case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */ -@@ -4369,7 +4374,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s - - /* parse the whole stats request and extract the relevant information */ - http_handle_stats(s, req); -- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s); -+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status); - /* not all actions implemented: deny, allow, auth */ - - if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */ -@@ -4500,9 +4505,9 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s - manage_client_side_cookies(s, req); - - txn->flags |= TX_CLDENY; -- txn->status = http_err_codes[txn->rule_deny_status]; -+ txn->status = http_err_codes[deny_status]; - s->logs.tv_request = now; -- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status)); -+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status)); - stream_inc_http_err_ctr(s); - sess->fe->fe_counters.denied_req++; - if (sess->fe != s->be) Deleted: gcc6-fix.patch =================================================================== --- gcc6-fix.patch 2016-06-28 10:05:44 UTC (rev 181486) +++ gcc6-fix.patch 2016-06-28 10:12:25 UTC (rev 181487) @@ -1,107 +0,0 @@ -diff --git a/include/proto/proto_http.h b/include/proto/proto_http.h -index 4d8f5365b625..0aa6643b98da 100644 ---- a/include/proto/proto_http.h -+++ b/include/proto/proto_http.h -@@ -110,7 +110,7 @@ void http_set_status(unsigned int status, struct stream *s); - int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name, - unsigned int name_len, const char *str, struct my_regex *re, - int action); --void inet_set_tos(int fd, struct sockaddr_storage from, int tos); -+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos); - void http_perform_server_redirect(struct stream *s, struct stream_interface *si); - void http_return_srv_error(struct stream *s, struct stream_interface *si); - void http_capture_bad_message(struct error_snapshot *es, struct stream *s, -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 3fee54e0db1d..48e584cf73e7 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -287,7 +287,7 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf, - } - - /* OK the address looks correct */ -- ss = *ss2; -+ memcpy(&ss, ss2, sizeof(ss)); - - for (; port <= end; port++) { - l = calloc(1, sizeof(*l)); -diff --git a/src/connection.c b/src/connection.c -index 330f3efbc995..5515188c6b10 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -744,7 +744,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - const char pp2_signature[] = PP2_SIGNATURE; - int ret = 0; - struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf; -- struct sockaddr_storage null_addr = {0}; -+ struct sockaddr_storage null_addr = { .ss_family = 0 }; - struct sockaddr_storage *src = &null_addr; - struct sockaddr_storage *dst = &null_addr; - -diff --git a/src/hlua.c b/src/hlua.c -index f6eb8aa80ee0..94f97429c895 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -4781,7 +4781,7 @@ __LJMP static int hlua_txn_set_tos(lua_State *L) - tos = MAY_LJMP(luaL_checkinteger(L, 2)); - - if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn)) -- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos); -+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos); - - return 0; - } -diff --git a/src/proto_http.c b/src/proto_http.c -index 21ad131c9f43..416504247a8d 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -3189,15 +3189,15 @@ int http_handle_stats(struct stream *s, struct channel *req) - /* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets - * (as per RFC3260 #4 and BCP37 #4.2 and #5.2). - */ --void inet_set_tos(int fd, struct sockaddr_storage from, int tos) -+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos) - { - #ifdef IP_TOS -- if (from.ss_family == AF_INET) -+ if (from->ss_family == AF_INET) - setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)); - #endif - #ifdef IPV6_TCLASS -- if (from.ss_family == AF_INET6) { -- if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr)) -+ if (from->ss_family == AF_INET6) { -+ if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr)) - /* v4-mapped addresses need IP_TOS */ - setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)); - else -@@ -3363,7 +3363,7 @@ resume_execution: - - case ACT_HTTP_SET_TOS: - if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn)) -- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos); -+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos); - break; - - case ACT_HTTP_SET_MARK: -@@ -3646,7 +3646,7 @@ resume_execution: - - case ACT_HTTP_SET_TOS: - if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn)) -- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos); -+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos); - break; - - case ACT_HTTP_SET_MARK: -diff --git a/src/proto_tcp.c b/src/proto_tcp.c -index a44912af4654..bbe12e2d4c0d 100644 ---- a/src/proto_tcp.c -+++ b/src/proto_tcp.c -@@ -435,7 +435,7 @@ int tcp_connect_server(struct connection *conn, int data, int delack) - struct sockaddr_storage sa; - - ret = 1; -- sa = src->source_addr; -+ memcpy(&sa, &src->source_addr, sizeof(sa)); - - do { - /* note: in case of retry, we may have to release a previously
