Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1b4cf9b7545792aedbf9cf00b8948e6cf28824ed^! / .
commit1b4cf9b7545792aedbf9cf00b8948e6cf28824ed[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Thu Nov 09 11:15:45 2017 +0100
committerWilly Tarreau <w@1wt.eu>Thu Nov 09 11:15:45 2017 +0100
tree0517db5160b325b89a06c1eb32284b710953007b
parentddfbd83780de0f140fc7195d1a16953ec18ef37a [diff]
BUG/MINOR: h1: the HTTP/1 make status code parser check for digits

The H1 parser used by the H2 gateway was a bit lax and could validate
non-numbers in the status code. Since it computes the code on the fly
it's problematic, as "30:" is read as status code 310. Let's properly
check that it's a number now. No backport needed.

diff --git a/include/proto/h1.h b/include/proto/h1.h
index 4463ad0..ef405c4 100644
--- a/include/proto/h1.h
+++ b/include/proto/h1.h

@@ -52,6 +52,7 @@
 #define H1_FLG_CRLF 0x10
 #define H1_FLG_TOK  0x20
 #define H1_FLG_VER  0x40
+#define H1_FLG_DIG  0x80
 
 #define HTTP_IS_CTL(x)       (h1_char_classes[(uint8_t)(x)] & H1_FLG_CTL)
 #define HTTP_IS_SEP(x)       (h1_char_classes[(uint8_t)(x)] & H1_FLG_SEP)
@@ -60,6 +61,7 @@
 #define HTTP_IS_CRLF(x)      (h1_char_classes[(uint8_t)(x)] & H1_FLG_CRLF)
 #define HTTP_IS_TOKEN(x)     (h1_char_classes[(uint8_t)(x)] & H1_FLG_TOK)
 #define HTTP_IS_VER_TOKEN(x) (h1_char_classes[(uint8_t)(x)] & H1_FLG_VER)
+#define HTTP_IS_DIGIT(x)     (h1_char_classes[(uint8_t)(x)] & H1_FLG_DIG)
 
 
 /* Macros used in the HTTP/1 parser, to check for the expected presence of

diff --git a/src/h1.c b/src/h1.c
index f4d77e3..d3a20c2 100644
--- a/src/h1.c
+++ b/src/h1.c

@@ -75,16 +75,16 @@
 	['-'] = H1_FLG_TOK,
 	['.'] = H1_FLG_TOK | H1_FLG_VER,
 	['/'] = H1_FLG_SEP | H1_FLG_VER,
-	['0'] = H1_FLG_TOK | H1_FLG_VER,
-	['1'] = H1_FLG_TOK | H1_FLG_VER,
-	['2'] = H1_FLG_TOK | H1_FLG_VER,
-	['3'] = H1_FLG_TOK | H1_FLG_VER,
-	['4'] = H1_FLG_TOK | H1_FLG_VER,
-	['5'] = H1_FLG_TOK | H1_FLG_VER,
-	['6'] = H1_FLG_TOK | H1_FLG_VER,
-	['7'] = H1_FLG_TOK | H1_FLG_VER,
-	['8'] = H1_FLG_TOK | H1_FLG_VER,
-	['9'] = H1_FLG_TOK | H1_FLG_VER,
+	['0'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['1'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['2'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['3'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['4'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['5'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['6'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['7'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['8'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
+	['9'] = H1_FLG_TOK | H1_FLG_VER | H1_FLG_DIG,
 	[':'] = H1_FLG_SEP,
 	[';'] = H1_FLG_SEP,
 	['<'] = H1_FLG_SEP,
@@ -909,11 +909,16 @@
 
 	case HTTP_MSG_RPCODE:
 	http_msg_rpcode:
-		if (likely(!HTTP_IS_LWS(*ptr))) {
+		if (likely(HTTP_IS_DIGIT(*ptr))) {
 			code = code * 10 + *ptr - '0';
 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rpcode, http_msg_ood, state, HTTP_MSG_RPCODE);
 		}
 
+		if (unlikely(!HTTP_IS_LWS(*ptr))) {
+			state = HTTP_MSG_RPCODE;
+			goto http_msg_invalid;
+		}
+
 		if (likely(HTTP_IS_SPHT(*ptr))) {
 			st_c_l = ptr - start - st_c;
 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rpcode_sp, http_msg_ood, state, HTTP_MSG_RPCODE_SP);