BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small
Frames with a too small size must be detected on receive and an error must
be triggered. It is especially important for frames of size 0. Otherwise,
because the frame length is used as return value, the frame is ignored (0 is
the return value to state the frame must be ignored). It is an issue because
in this case, outgoing data, the 4 bytes representing the frame size, are
never consumed. If the agent also closes the connection, this leads to a
wakeup loop because outgoing data are stuck and a shutdown is pending.
In addition, all pending outgoing data are systematcially skipped when the
applet is in SPOE_APPCTX_ST_END state.
The patch should fix the issue #2490. It must be backported to all stable
versions.
(cherry picked from commit eb89e4f3e0595abdd38694b01209d6a69787f8cf)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit acba18f66a59df41c6406f831be98a40f62020f3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 6fe1060d124677901bf80be26385e001a1ab4953)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 63d160409aadaf13765eb5b94020a8c6b0064509)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 214ac94feb4280f7bbf68253c7a66637f4500d4a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 76cded1..f2733c0 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -1167,6 +1167,10 @@
ret = co_getblk(si_oc(si), (char *)&netint, 4, 0);
if (ret > 0) {
framesz = ntohl(netint);
+ if (framesz < 7) {
+ SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_INVALID;
+ return -1;
+ }
if (framesz > SPOE_APPCTX(appctx)->max_frame_size) {
SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_TOO_BIG;
return -1;
@@ -1980,6 +1984,7 @@
/* fall through */
case SPOE_APPCTX_ST_END:
+ co_skip(si_oc(si), co_data(si_oc(si)));
return;
}
out: