Hi all,
Here's an important update for 1.4 and 1.5, please read it, it contains
an important security fix.
When a config makes use of hdr_ip(x-forwarded-for,-1) or any such thing
involving a negative occurrence count, the header is still parsed in the
order it appears, and an array of up to MAX_HDR_HISTORY entries is created.
When more entries are used, the entries simply wrap and continue this way.
A problem happens when the incoming header field count exactly divides
MAX_HDR_HISTORY, because the computation removes the number of requested
occurrences from the count, but does not care about the risk of wrapping
with a negative number. Thus we can dereference the array with a negative
number and randomly crash the process.
The bug is located in http_get_hdr() in haproxy 1.5, and get_ip_from_hdr2()
in haproxy 1.4. It affects configurations making use of one of the following
functions with a negative <value> occurence number :
- hdr_ip(<name>, <value>) (in 1.4)
- hdr_*(<name>, <value>) (in 1.5)
It also affects "source" statements involving "hdr_ip(<name>)" since that
statement implicitly uses -1 for <value> :
- source 0.0.0.0 usesrc hdr_ip(<name>)
A workaround consists in rejecting dangerous requests early using
hdr_cnt(<name>), which is available both in 1.4 and 1.5 :
block if { hdr_cnt(<name>) ge 10 }
This bug has been present since the introduction of the negative offset
count in 1.4.4 via commit bce70882. It has been reported by David Torgerson
who offered some debugging traces showing where the crash happened, thus
making it significantly easier to find the bug!
CVE-2013-2175 was assigned to this bug.
For those who want to quickly deploy a fix, please use this patch for 1.5,
it also applies to 1.4 :
http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=67dad2715b
1.4.24 has only two other fixes from 1.4.23 :
- BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used
- BUG/MAJOR: backend: consistent hash can loop forever in certain
circumstances
For 1.5, no less than 28 bugs were fixed since 1.5-dev18, but as usual, either
you were not affected by them or were already using a more recent snapshot :-)
Bugs apart, 1.5 has received long-awaited updates, among which :
- error reporting for acl/fetch was improved, log-format can now indicate
where a bad keyword was detected ;
- the stats page allow the output to be filtered to certain proxies only
- transparent proxy is now supported on FreeBSD/OpenBSD
- new ACL fetch full_hdr() works on a full header line, as opposed to
hdr() which works on a comma-delimited list of values. This is useful
with some new user-agents which include commas and could not be matched ;
- health-checks try to drain server response first to avoid to emit a
TCP reset whenever possible ;
- new "http-response" rule sets allows some processing to be performed
based on the response (eg: add/set header) ;
- new actions for http-request/http-response :
+ set-nice : change the task's priority : allows high-bandwidth,
low importance tasks to be deprioritized (useful for compression
as well) ;
+ set-log-level : change the log level of current request, with
possibility to completely disable it (eg: log POSTs with higher
severity or stop logging statics, etc...) ;
+ set-tos : set the DSCP field of outgoing packets to the specified
value. Can be useful to route certain responses over different
links ;
+ set-mark : set a netfilter mark on all outgoing packets to the
specified value. Can be used as an alternative to DSCP above, or
to blacklist some IPs (when combined with ipset for example) ;
- new action "expect-proxy layer4" for "tcp-request connection". This
allows the PROXY protocol to be conditionally enabled on incoming
connections. For example, when you rely on an external haproxy farm
whose addresses are known, the PROXY protocol can be enabled just
for them.
- a new "env()" fetch keyword was added to retrieve an environment
variable. This allows a same config to be used in various modes by
just changing an environment variable during a reload (eg: prod/maint).
Other usages include passing the Via header to servers.
- stick-counters have been increased to 3 (sc0, sc1, sc2), because most
often when combining to criteria, it was not possible to have both 1,
2 and 1+2 at the same time.
- ACL usage simplification : fetch methods of types boolean, integer
or IP address are automatically usable in ACLs without having to
specify "-m $type". This permitted to significantly clean the code
by removing many double references to same keywords. Contributors
will probably appreciated.
- the ACL/fetch doc experienced a major lift up to avoid referencing the
same keywords twice. It was by far the hardest change of this whole
version!
I receive about twice a week a question asking "when will 1.5 become stable ?".
We're still focusing primarily on this task, but the changes introduced in
last september had a lot of impact and were not trivial to fix. Server-side
keep-alive is still the condition to switch to 1.5-stable. In the mean time,
some issues with buffer management still need to be adressed in order to be
able to fix compression (which is disabled for chunked encoding right now).
Another big deal is to propagate the process binding to listeners to fix some
issues with peers and stats socket in multi-process mode. I already have
patches for this but they're broken, dependencies are too deep and they need
to be redesigned. The rest is not very important and can be postponed.
It seems reasonable to think about 1.5-stable by the end of the summer, so
all in all it's as always "in 3 months"... The good thing is that I'm getting
more time dedicated to this task at Exceliance, so this never-ending promise
might become true.
Usual links below :
Site index : http://haproxy.1wt.eu/
Sources (1.4) : http://haproxy.1wt.eu/download/1.4/src/
Changelog (1.4) : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
Sources (1.5) : http://haproxy.1wt.eu/download/1.5/src/devel/
Changelog (1.5) : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG
Cyril's HTML doc :
http://cbonte.github.com/haproxy-dconv/configuration-1.5.html
Do not forget to upgrade or patch,
Willy
