BUG/MAJOR: fcgi: Fix uninitialized reserved bytes The output buffer is not zero-initialized. If we don't clear reserved bytes, fcgi requests sent to backend will leak sensitive data. This patch must be backported as far as 2.2.

commit: 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8 [log] [tgz]
author: Youfu Zhang <zhangyoufu@gmail.com> Fri Dec 09 19:15:48 2022 +0800
committer: Christopher Faulet <cfaulet@haproxy.com> Fri Dec 09 12:23:14 2022 +0100
tree: dc67b4eb4d5827b4dacec73ed62a210759d03a2a
parent: 7edec90c002740df26d13f8f780f5ccd762fb876 [diff] [blame]
diff --git a/src/fcgi.c b/src/fcgi.c
index dcf2db2..1d1a82b 100644
--- a/src/fcgi.c
+++ b/src/fcgi.c

@@ -47,7 +47,7 @@
 	out->area[len++] = ((h->len >> 8) & 0xff);
 	out->area[len++] = (h->len & 0xff);
 	out->area[len++] = h->padding;
-	len++; /* rsv */
+	out->area[len++] = 0; /* rsv */
 
 	out->data = len;
 	return 1;
@@ -94,7 +94,11 @@
 	out->area[len++] = ((r->role >> 8) & 0xff);
 	out->area[len++] = (r->role & 0xff);
 	out->area[len++] = r->flags;
-	len += 5; /* rsv */
+	out->area[len++] = 0; /* rsv */
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
 
 	out->data = len;
 	return 1;
commit	2e6bf0a2722866ae0128a4392fa2375bd1f03ff8	[log] [tgz]
author	Youfu Zhang <zhangyoufu@gmail.com>	Fri Dec 09 19:15:48 2022 +0800
committer	Christopher Faulet <cfaulet@haproxy.com>	Fri Dec 09 12:23:14 2022 +0100
tree	dc67b4eb4d5827b4dacec73ed62a210759d03a2a
parent	7edec90c002740df26d13f8f780f5ccd762fb876 [diff] [blame]