Hello,
this patch fixes the segmentation fault in WURFL device detection code.
The problem occurs when character combinations that represent the
special formating codes used in the vfprintf() function are found within
the user agent data.
For example, by running the command 'curl -A"%s s% s%" ...', the user
agent string is set to '%s s% s%', causing the HAProxy to crash.
This only happens if the HAProxy is compiled with the option -DWURFL_DEBUG.
This patch could be backported in every version supporting the
ScientiaMobile's WURFL. (as far as 1.7)
--
Miroslav Zagorac
>From 87bc2f08062218f9790135a1899d06936aa7178c Mon Sep 17 00:00:00 2001
From: Miroslav Zagorac
Date: Mon, 14 Oct 2019 17:15:56 +0200
Subject: [PATCH] BUG/MINOR: WURFL: fix send_log() function arguments
If the user agent data contains text that has special characters that
are used to format the output from the vfprintf() function, haproxy
crashes. String "%s %s %s" may be used as an example.
% curl -A "%s %s %s" localhost:10080/index.html
curl: (52) Empty reply from server
haproxy log:
:WURFL-test.clireq[00c7:]: GET /index.html HTTP/1.1
:WURFL-test.clihdr[00c7:]: host: localhost:10080
:WURFL-test.clihdr[00c7:]: user-agent: %s %s %s
:WURFL-test.clihdr[00c7:]: accept: */*
segmentation fault (core dumped)
gdb 'where' output:
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x7f7c014a8da8 in _IO_vfprintf_internal (s=s@entry=0x7ffc808fe750, format=,
format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
ap=ap@entry=0x7ffc808fe8b8) at vfprintf.c:1637
#2 0x7f7c014cfe89 in _IO_vsnprintf (
string=0x55cb772c34e0 "WURFL: retrieve header request returns [(null) %s %s %s B,w\313U",
maxlen=,
format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
args=args@entry=0x7ffc808fe8b8) at vsnprintf.c:114
#3 0x55cb758f898f in send_log (p=p@entry=0x0, level=level@entry=5,
format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n")
at src/log.c:1477
#4 0x55cb75845e0b in ha_wurfl_log (
message=message@entry=0x55cb75989460 "WURFL: retrieve header request returns [%s]\n") at src/wurfl.c:47
#5 0x55cb7584614a in ha_wurfl_retrieve_header (header_name=, wh=0x7ffc808fec70)
at src/wurfl.c:763
In case WURFL (actually HAProxy) is not compiled with debug option
enabled (-DWURFL_DEBUG), this bug does not come to light.
This patch could be backported in every version supporting
the ScientiaMobile's WURFL. (as far as 1.7)
---
src/wurfl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/wurfl.c b/src/wurfl.c
index 1e702c029..47968e212 100644
--- a/src/wurfl.c
+++ b/src/wurfl.c
@@ -44,7 +44,7 @@ inline static void ha_wurfl_log(char * message, ...)
va_start(argp, message);
vsnprintf(logbuf, sizeof(logbuf), message, argp);
va_end(argp);
- send_log(NULL, LOG_NOTICE, logbuf, NULL);
+ send_log(NULL, LOG_NOTICE, "%s", logbuf);
}
#else
inline static void ha_wurfl_log(char * message, ...)
--
2.20.1
