upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-08 16:23:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers

Browse source 
When message headers are formatted, the connection and upgrade header values
are parsed to be sanitized and to fill H1M flags. The values are modified in
place without changing the HTX message information accordingly (the block
info and the HTX info). It could be an issue if the output buffer is full
and the header cannot be formatted. Because the formatting can be stopped
with a HTX message in hazardous state.

It should be quite difficult to trigger this issue. But now, a copy of the
value is performed before parsing it. So only the copy will be altered,
leaving the HTX message in a safe state.

This patch must be backported to all stable versions.
This commit is contained in:
Christopher Faulet 2026-05-29 16:26:29 +02:00
parent f1aac4a3b2
commit de25313cd8
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/mux_h1.c
View file

@ -2708,11 +2708,17 @@ static size_t h1_make_headers(struct h1s *h1s, struct h1m *h1m, struct htx *htx,
h1s->flags |= H1S_F_HAVE_CLEN;
}
else if (isteq(n, ist("connection"))) {
/* copy the value because it can be modified, but the HTX blocks will not */
memcpy(trash.area, v.ptr, v.len);
v.ptr = trash.area;
h1_parse_connection_header(h1m, &v);
if (!v.len)
goto nextblk;
}
else if (isteq(n, ist("upgrade"))) {
/* copy the value because it can be modified, but the HTX blocks will not */
memcpy(trash.area, v.ptr, v.len);
v.ptr = trash.area;
h1_parse_upgrade_header(h1m, &v);
if (!v.len)
goto nextblk;