stable-bot: Bugfixes waiting for a release 2.3 (5), 2.1 (7), 2.0 (11)

[stable-bot]

Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.


Last release 2.3.9 was issued on 2021-03-30.  There are currently 5 patches 
in the queue cut down this way:
- 5 MINOR, first one merged on 2021-03-31

Thus the computed ideal release date for 2.3.10 would be 2021-04-28, which is 
in three weeks or less.

Last release 2.1.12 was issued on 2021-03-18.  There are currently 7 
patches in the queue cut down this way:
- 4 MEDIUM, first one merged on 2021-03-31
- 3 MINOR, first one merged on 2021-03-31

Thus the computed ideal release date for 2.1.13 would be 2021-05-26, which is 
in seven weeks or less.

Last release 2.0.21 was issued on 2021-03-18.  There are currently 11 
patches in the queue cut down this way:
- 1 BUG, first one merged on 2021-03-24
- 6 MEDIUM, first one merged on 2021-03-24
- 4 MINOR, first one merged on 2021-03-31

Thus the computed ideal release date for 2.0.22 would be 2021-05-19, which is 
in six weeks or less.

The current list of patches in the queue is:
 - 2.0   - BUG : mworker/cli: do not use the unix_bind 
prefix for the master CLI socket
 - 2.0, 2.1  - MEDIUM  : thread: Fix a deadlock if an isolated 
thread is marked as harmless
 - 2.0   - MEDIUM  : lua: Always init the lua stack before 
referencing the context
 - 2.0   - MEDIUM  : debug/lua: Use internal hlua function 
to dump the lua traceback
 - 2.0, 2.1  - MEDIUM  : mux-h1: make h1_shutw_conn() idempotent
 - 2.0, 2.1  - MEDIUM  : freq_ctr/threads: use the 
global_now_ms variable
 - 2.0, 2.1  - MEDIUM  : time: make sure to always initialize 
the global tick
 - 2.0, 2.1  - MINOR   : http_fetch: make hdr_ip() reject 
trailing characters
 - 2.0, 2.1, 2.3 - MINOR   : tcp: fix silent-drop workaround for 
IPv6
 - 2.0   - MINOR   : stats: Apply proper styles in HTML 
status page.
 - 2.3   - MINOR   : ssl: Fix update of default certificate
 - 2.3   - MINOR   : ssl: Add missing free on SSL_CTX in 
ckch_inst_free
 - 2.0, 2.1, 2.3 - MINOR   : http_fetch: make hdr_ip() resistant to 
empty fields
 - 2.3   - MINOR   : ssl: Prevent removal of crt-list line 
if the instance is a default one

-- 
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.

Re: [PATCH] JWT payloads break b64dec convertor

[Willy Tarreau]

Hi Moemen,

On Tue, Apr 06, 2021 at 01:58:11AM +0200, Moemen MHEDHBI wrote:
> Only part unclear:
> On 02/04/2021 15:04, Tim Düsterhus wrote:
> >> +int base64urldec(const char *in, size_t ilen, char *out, size_t olen) {
> >> +char conv[ilen+2];
> >
> > This looks like a remotely triggerable stack overflow.
> 
> You mean in case ilen is too big?

Yes that's it, I didn't notice it during the first review. It's
particularly uncommon to use variable sized arrays and should never
be done. The immediate effect of this is that it will reserve some
room in the stack for a size as large as ilen+2 bytes. The problem
is that on most platforms the stack grows down, so the beginning of
the buffer is located at a point which is very far away from the
current stack. This memory is in fact not allocated, so the system
detects the first usage through a page fault and allocates the
necessary space. But in order to know that the page fault is within
the stack, it has to apply a certain margin. And this margin varies
between OSes and platforms. Some compilers will explicitly initialize
such a large stack from top to bottom to avoid a crash. Other ones
will not do and may very well crash at 64kB. On Linux, I can make the
above crash by using a 8 MB ilen, just because by default the stack
size limit is 8 MB. That's large but not overly excessive for those
who would like to perform some processing on bodies. And I recall
that some other OSes default to way smaller limits (I recall 64kB
on OpenBSD a long time ago though this might have been raised to a
megabyte or so by now).

> in such case should we rather use dynamic allocation ?

No, there are two possible approaches. One of them is to use a trash
buffer using get_trash_chunk(). The trash buffers are "large enough"
for anything that comes from outside. A second, cleaner solution
simply consists in not using a temporary buffer but doing the conversion
on the fly. Indeed, looking closer, what the function does is to first
replace a few chars on the whole chain to then call the base64 conversion
function. So it doubles the work on the string and one side effect of
this double work is that you need a temporary storage.

Other approaches would consist in either reimplementing the functions
with a different alphabet, or modifying the existing ones to take an
extra argument for the conversion table, and make one set of functions
making use of the current table and another set making use of your new
table.

Willy