From 3ac082b2b2c891db4205fb04c9d7162a139d07d3 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 26 May 2026 13:56:12 +0200
Subject: [PATCH] BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application
 records

Records with a stream ID set to 0 are reserved to management records.
However there was no check to trigger an error if an application record is
received with a stream ID to 0. This could lead to crash becausqe management
streams (which are static and immutable) can be modified while processing
application records (STDOUT/STDERR/END_REQUEST).

To fix the issue, An error is returned if the stream ID 0 is set on
GET_VALUES_RESULT or UNKNOWN_TYPE records.

This patch must be backported to all stable versions.
---
 src/mux_fcgi.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index 8838be95d..7bd5d82de 100644
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -2644,6 +2644,16 @@ static void fcgi_process_demux(struct fcgi_conn *fconn)
 		}
 		fstrm = tmp_fstrm;
 
+		if (fconn->dsi == 0 && fconn->drt != FCGI_GET_VALUES_RESULT && fconn->drt != FCGI_UNKNOWN_TYPE) {
+			/* Stream ID 0 is reserved for management records and
+			 * must not used for application record type.
+			 */
+			fconn->state = FCGI_CS_CLOSED;
+			TRACE_ERROR("Application record with SID 0", FCGI_EV_RX_RECORD|FCGI_EV_RX_FHDR|FCGI_EV_RX_GETVAL|FCGI_EV_FCONN_ERR, fconn->conn);
+			TRACE_STATE("switching to CLOSED", FCGI_EV_RX_RECORD|FCGI_EV_RX_FHDR|FCGI_EV_RX_GETVAL|FCGI_EV_FCONN_ERR, fconn->conn);
+			goto fail;
+		}
+
 		if (fstrm->state == FCGI_SS_CLOSED && fconn->dsi != 0) {
 			/* ignore all record for closed streams */
 			goto ignore_record;