Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 86032c309b1f42177826deaa39f7c26903a074ca
commit86032c309b1f42177826deaa39f7c26903a074ca[log] [tgz]
authorAndrew McDermott <aim@frobware.com>Fri Feb 11 18:26:49 2022 +0000
committerWilly Tarreau <w@1wt.eu>Wed Feb 16 14:52:00 2022 +0100
treeb21e5c52b0e82d50ccd297b21e0ef38587d998ce
parentd276ee572835c2e7d4cdb2b498066bb47f3d8acf [diff]
BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies

Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
header is found then the while(1) loop in
http_manage_server_side_cookies() will never terminate, resulting in
the watchdog firing and the process terminating via SIGABRT.

The while(1) loop becomes unbounded because an unmatched call to
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
calls to check for "Set-Cookie2" will now enumerate from the beginning
of all the blocks and will once again match on subsequent
passes (assuming a match first time around), hence the loop becoming
unbounded.

This issue was introduced with HTX and this fix should be backported
to all versions supporting HTX.

Many thanks to Grant Spence (gspence@redhat.com) for working through
this issue with me.

(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509)
Signed-off-by: Willy Tarreau <w@1wt.eu>
1 file changed
tree: b21e5c52b0e82d50ccd297b21e0ef38587d998ce
  1. .github/
  2. addons/
  3. admin/
  4. dev/
  5. doc/
  6. examples/
  7. include/
  8. reg-tests/
  9. scripts/
  10. src/
  11. tests/
  12. .cirrus.yml
  13. .gitattributes
  14. .gitignore
  15. .travis.yml
  16. BRANCHES
  17. CHANGELOG
  18. CONTRIBUTING
  19. INSTALL
  20. LICENSE
  21. MAINTAINERS
  22. Makefile
  23. README
  24. ROADMAP
  25. SUBVERS
  26. VERDATE
  27. VERSION