commit 1a58aca84ed899da3b9b28445156ba1f5f1b9005
author Amaury Denoyelle <adenoyelle@haproxy.com> Fri Jan 22 16:47:46 2021 +0100
committer Amaury Denoyelle <adenoyelle@haproxy.com> Fri Feb 12 12:33:05 2021 +0100
tree 7630f16149f89ac578cd15874110e5126c268289
parent 81c6f76d3ebefa95108eeb2fcf7aae042253810b

MINOR: connection: use the srv pointer for the srv conn hash

The pointer of the target server is used as a first parameter for the
server connection hash calcul. This prevents the hash to be null when no
specific parameters are present, and can serve as a simple defense
against an attacker trying to reuse a non-conform connection.

src/backend.c

diff --git a/src/backend.c b/src/backend.c
index 4b2c9f8..4879940 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1251,15 +1251,18 @@
 
 	/* first, set unique connection parameters and then calculate hash */
 	memset(&hash_params, 0, sizeof(hash_params));
-	hash = conn_calculate_hash(&hash_params);
+
+	srv = objt_server(s->target);
+	hash_params.srv = srv;
+
+	if (srv)
+		hash = conn_calculate_hash(&hash_params);
 
 	/* This will catch some corner cases such as lying connections resulting from
 	 * retries or connect timeouts but will rarely trigger.
 	 */
 	si_release_endpoint(&s->si[1]);
 
-	srv = objt_server(s->target);
-
 	/* do not reuse if mode is http or if avail list is not allocated */
 	if ((s->be->mode != PR_MODE_HTTP) || (srv && !srv->available_conns_tree))
 		goto skip_reuse;

src/connection.c

diff --git a/src/connection.c b/src/connection.c
index f5dbffb..3656b36 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1421,6 +1421,8 @@
 
 	buf = trash.area;
 
+	conn_hash_update(buf, &idx, &params->srv, sizeof(params->srv), &hash_flags, 0);
+
 	hash = conn_hash_digest(buf, idx, hash_flags);
 	return hash;
 }