Le 05/10/2017 à 10:52, Christopher Faulet a écrit :
Hi,
Here is the patch that fixes the bug reported by Marcus (see "Haproxy
segfault error 4 in libc-2.24").
Sorry, here is a new version of my patch. No reason to consider
zero-length string as an error.
--
Christopher Faulet
>From 077217437a09e5d81216d377d9aff73dc1ce7122 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfau...@haproxy.com>
Date: Thu, 5 Oct 2017 10:03:12 +0200
Subject: [PATCH] BUG/MEDIUM: http: Return an error when url_dec sample
converter failed
url_dec sample converter uses url_decode function to decode an URL. This
function fails by returning -1 when an invalid character is found. But the
sample converter never checked the return value and it used it as length for the
decoded string. Because it always succeeded, the invalid sample (with a string
length set to -1) could be used by other sample fetches or sample converters,
leading to undefined behavior like segfault.
The fix is pretty simple, url_dec sample converter just needs to return an error
when url_decode fails.
This patch must be backported in 1.7 and 1.6.
---
src/proto_http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index fb5c0858e..40bd1c76d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -12414,7 +12414,7 @@ static int sample_conv_url_dec(const struct arg *args, struct sample *smp, void
/* Add final \0 required by url_decode(), and convert the input string. */
smp->data.u.str.str[smp->data.u.str.len] = '\0';
smp->data.u.str.len = url_decode(smp->data.u.str.str);
- return 1;
+ return (smp->data.u.str.len >= 0);
}
static int smp_conv_req_capture(const struct arg *args, struct sample *smp, void *private)
--
2.13.6
