BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once
When the request data are copied in a mbuf, if the free space is too small
to copy all data at once, the data length is shortened. When this is
performed, we reserve the size of the STDIN recod header and eventually the
same for the empty STDIN record if it is the last HTX block of the request.
However, there is no test to be sure the free space is large enough. Thus,
on this special case, when the mbuf is almost full, it is possible to
overflow the value length. Because of this bug, it is possible to experience
crashes from time to time.
This patch should fix the issue #1923. It must be backported as far as 2.4.
(cherry picked from commit 52fd8a1b7b8a5a328cb5f4fabd42d2ca7af78760)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 7dbd951a95bf7b4f2ffe94c7bc9ed6be2d5b2ef9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 387bc73ed1d89c9b9ee7d1c0a1b509148f744075)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
index f7b666d..18236be 100644
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@@ -2278,7 +2278,9 @@
b_data(&outbuf) + v.len + extra_bytes <= b_room(mbuf) &&
b_data(mbuf) <= MAX_DATA_REALIGN)
goto realign_again;
- v.len = b_room(&outbuf) - FCGI_RECORD_HEADER_SZ - extra_bytes;
+ v.len = (FCGI_RECORD_HEADER_SZ + extra_bytes > b_room(&outbuf)
+ ? 0
+ : b_room(&outbuf) - FCGI_RECORD_HEADER_SZ - extra_bytes);
}
if (!v.len || !chunk_memcat(&outbuf, v.ptr, v.len)) {
if (outbuf.data == FCGI_RECORD_HEADER_SZ)