There was a tcp-request inspect-delay of 2s in the configuration when running the repro, so it should be fine.
Sent from my iPhone > On 28 May 2017, at 11:41, Willy Tarreau <[email protected]> wrote: > > Hi Jean, > >> On Sun, May 28, 2017 at 09:15:56AM +0000, Jean LUBATTI wrote: >> Hi Willy, >> >> I just tried the line "tcp-request content capture req.hdrs_bin len 2000" >> in the config but I get: >> >> [ALERT] 147/073131 (13352) : parsing [/etc/haproxy/haproxy.cfg:42] : >> 'tcp-request content capture' : unknown fetch method 'req.hdrs_bin' >> [ALERT] 147/073131 (13352) : Error(s) found in configuration file : >> /etc/haproxy/haproxy.cfg >> [ALERT] 147/073131 (13352) : Fatal errors found in configuration. >> Errors found in configuration file, check it with 'haproxy check'. > > Sorry, this one is only in 1.8-dev. > >> I changed it to : >> >> tcp-request content capture req.payload(0,2000) len 2000 >> >> but I don't think it works (at least not when inspecting the core on >> s->req). > > Ah, I forgot to mention you need to allow a delay for the request to arrive, > you need to add this : > > tcp-request inspect-delay 10s > > (for example) > >> Here is the output of haproxy running under gdb when the attack happens: >> >> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clireq[0027:ffffffff]: >> GET /wp-content/uploads/ HTTP/1.1 >> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: >> Host: 185.139.245.111 >> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: >> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 >> Firefox/40.0 >> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: >> Cookie: SERVERID=ppmktplportals01fe >> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]: >> Accept-Encoding: gzip >> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clireq[0028:ffffffff]: >> GET /wp-content/uploads/2015/ HTTP/1.1 >> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: >> Host: 185.139.245.111 >> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: >> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 >> Firefox/40.0 >> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: >> Cookie: SERVERID=ppmktplportals01fe >> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]: >> Accept-Encoding: gzip >> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvrep[0027:0029]: >> HTTP/1.1 404 Not Found >> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: >> Server: Apache-Coyote/1.1 >> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: >> Content-Length: 0 >> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: >> Date: Sun, 28 May 2017 09:03:04 GMT >> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]: >> Connection: close >> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvrep[0028:002a]: >> HTTP/1.1 404 Not Found >> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: >> Server: Apache-Coyote/1.1 >> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: >> Content-Length: 0 >> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: >> Date: Sun, 28 May 2017 09:03:04 GMT >> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]: >> Connection: close >> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clireq[0025:ffffffff]: >> GET /language/en-GB/en-GB.xml HTTP/1.1 >> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: >> Host: 185.139.245.111 >> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: >> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101 >> Firefox/40.0 >> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: >> Cookie: SERVERID=ppmktplportals01fe >> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]: >> Accept-Encoding: gzip >> >> Program received signal SIGSEGV, Segmentation fault. >> _wordcopy_fwd_dest_aligned (dstp=14712784, srcp=14712832, >> len=2305843009213203548) at wordcopy.c:196 >> 196 a0 = ((op_t *) srcp)[0]; >> (gdb) >> >> Attaching to the mail the core and the binary. > > Thanks for all this, I think I should be able to reproduce it with all this, > otherwise I'll recontact you :-) > > Thanks! > Willy This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.
