Le 07/04/2026 à 9:48 AM, Greg Kroah-Hartman a écrit :
A copy-paste error in alloc_trash_buffers_per_thread() passes global.tune.bufsize_large to alloc_small_trash_buffers() instead of global.tune.bufsize_small. This sets small_trash_size = bufsize_large.When tune.bufsize.large is configured, get_larger_trash_chunk() then incorrectly matches a large buffer against small_trash_size at line 169 and "grows" it to a regular (smaller) buffer. b_xfer() at line 179 attempts to copy the large buffer's contents into the smaller one: - Default builds (DEBUG_STRICT=1): BUG_ON in __b_putblk() aborts the process -> remote DoS - DEBUG_STRICT=0 builds: BUG_ON becomes ASSUME() and the compiler elides the check -> heap overflow with attacker-controlled bytes Reachable via the json converter (sample.c:2862) when escaping ~bufsize_large/6 control characters in attacker-supplied data such as a request header or body. Introduced in commit 92a24a4e875b ("MEDIUM: chunk: Add support for small chunks"). No backport needed. --- src/chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/chunk.c b/src/chunk.c index 639c7315733c..e6d9a44a799b 100644 --- a/src/chunk.c +++ b/src/chunk.c @@ -233,7 +233,7 @@ static int alloc_trash_buffers_per_thread() { return (alloc_trash_buffers(global.tune.bufsize) && alloc_large_trash_buffers(global.tune.bufsize_large) && - alloc_small_trash_buffers(global.tune.bufsize_large)); + alloc_small_trash_buffers(global.tune.bufsize_small)); }static void free_trash_buffers_per_thread()
Both fixes about chunks merged as BUG/MEDIUM. Thanks ! -- Christopher Faulet
