Le 18/05/2018 à 12:38, Thierry FOURNIER a écrit :
Hi,
In attachment two patches for SPOE.
The first fix an error message, and the second fix a mistake in the protocol.
Thanks Thierry for these patches. Here are fixes for the SPOAs
modsecurity and mod_defender.
--
Christopher Faulet
>From 444e432df47b77a635296d85fb6673f60b92bef7 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <[email protected]>
Date: Fri, 18 May 2018 14:38:56 +0200
Subject: [PATCH 1/2] BUG/MEDIUM: contrib/mod_defender: Use network order to
encode/decode flags
A recent fix on the SPOE revealed a mismatch between the SPOE specification and
the mod_defender implementation on the way flags are encoded or decoded. They
must be exchanged using the network bytes order and not the host one.
Be careful though, this patch breaks the compatiblity with HAProxy SPOE before
commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order").
---
contrib/mod_defender/spoa.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/contrib/mod_defender/spoa.c b/contrib/mod_defender/spoa.c
index c4e15bb4..1191260a 100644
--- a/contrib/mod_defender/spoa.c
+++ b/contrib/mod_defender/spoa.c
@@ -460,6 +460,7 @@ handle_hahello(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported for HELLO frame */
@@ -567,6 +568,7 @@ handle_hadiscon(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported for DISCONNECT frame */
@@ -648,6 +650,7 @@ handle_hanotify(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported */
@@ -710,6 +713,7 @@ handle_hafrag(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p+= 4;
/* Read the stream-id and frame-id */
@@ -772,6 +776,7 @@ prepare_agenthello(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_HELLO;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
@@ -853,6 +858,7 @@ prepare_agentdicon(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_DISCON;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
@@ -900,6 +906,7 @@ prepare_agentack(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_ACK;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
--
2.14.3
>From d424c222e690cf93075ba2f94911cb557218b521 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <[email protected]>
Date: Fri, 18 May 2018 14:46:32 +0200
Subject: [PATCH 2/2] BUG/MEDIUM: contrib/modsecurity: Use network order to
encode/decode flags
A recent fix on the SPOE revealed a mismatch between the SPOE specification and
the modsecurity implementation on the way flags are encoded or decoded. They
must be exchanged using the network bytes order and not the host one.
Be careful though, this patch breaks the compatiblity with HAProxy SPOE before
commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order").
---
contrib/modsecurity/spoa.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/contrib/modsecurity/spoa.c b/contrib/modsecurity/spoa.c
index 506ff824..ab3e8b2b 100644
--- a/contrib/modsecurity/spoa.c
+++ b/contrib/modsecurity/spoa.c
@@ -465,6 +465,7 @@ handle_hahello(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported for HELLO frame */
@@ -572,6 +573,7 @@ handle_hadiscon(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported for DISCONNECT frame */
@@ -653,6 +655,7 @@ handle_hanotify(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p += 4;
/* Fragmentation is not supported */
@@ -715,6 +718,7 @@ handle_hafrag(struct spoe_frame *frame)
/* Retrieve flags */
memcpy((char *)&(frame->flags), p, 4);
+ frame->flags = ntohl(frame->flags);
p+= 4;
/* Read the stream-id and frame-id */
@@ -777,6 +781,7 @@ prepare_agenthello(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_HELLO;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
@@ -858,6 +863,7 @@ prepare_agentdicon(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_DISCON;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
@@ -905,6 +911,7 @@ prepare_agentack(struct spoe_frame *frame)
*p++ = SPOE_FRM_T_AGENT_ACK;
/* Set flags */
+ flags = htonl(flags);
memcpy(p, (char *)&flags, 4);
p += 4;
--
2.14.3
