Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY headers.
This fix needs to be backported to 1.5 and 1.6. Signed-off-by: Nenad Merdanovic <[email protected]> --- src/proto_http.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index b7654a6..7abe493 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -8537,10 +8537,13 @@ unsigned int http_get_fhdr(const struct http_msg *msg, const char *hname, int hl } if (-occ > found) return 0; + /* OK now we have the last occurrence in [hist_ptr-1], and we need to - * find occurrence -occ, so we have to check [hist_ptr+occ]. + * find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have + * -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ] + * to remain in the 0..9 range. */ - hist_ptr += occ; + hist_ptr += occ + MAX_HDR_HISTORY; if (hist_ptr >= MAX_HDR_HISTORY) hist_ptr -= MAX_HDR_HISTORY; *vptr = ptr_hist[hist_ptr]; -- 2.7.0
