BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY headers. This fix needs to be backported to 1.5 and 1.6. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

commit: 69ad4b997701b08e9de48fce4dc4ceeb7d80cb32 [log] [tgz]
author: Nenad Merdanovic <nmerdan@anine.io> Tue Mar 29 13:14:30 2016 +0200
committer: Willy Tarreau <w@1wt.eu> Tue Mar 29 16:03:41 2016 +0200
tree: 2137bccaa0fbc68f87416fa4e335283e207c7bed
parent: 1789115a52e5c512746717aacd71346a1e328ad5 [diff]
diff --git a/src/proto_http.c b/src/proto_http.c
index b7654a6..7abe493 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c

@@ -8537,10 +8537,13 @@
 	}
 	if (-occ > found)
 		return 0;
+
 	/* OK now we have the last occurrence in [hist_ptr-1], and we need to
-	 * find occurrence -occ, so we have to check [hist_ptr+occ].
+	 * find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have
+	 * -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ]
+	 * to remain in the 0..9 range.
 	 */
-	hist_ptr += occ;
+	hist_ptr += occ + MAX_HDR_HISTORY;
 	if (hist_ptr >= MAX_HDR_HISTORY)
 		hist_ptr -= MAX_HDR_HISTORY;
 	*vptr = ptr_hist[hist_ptr];
commit	69ad4b997701b08e9de48fce4dc4ceeb7d80cb32	[log] [tgz]
author	Nenad Merdanovic <nmerdan@anine.io>	Tue Mar 29 13:14:30 2016 +0200
committer	Willy Tarreau <w@1wt.eu>	Tue Mar 29 16:03:41 2016 +0200
tree	2137bccaa0fbc68f87416fa4e335283e207c7bed
parent	1789115a52e5c512746717aacd71346a1e328ad5 [diff]