[CRITICAL] an empty header may lead to a crash A missing pointer assignment in case of an empty header will result in this header's length being 65535, causing a SEGV when accessing the next header. It should not be possible to exploit this problem to run arbitrary code because the crash occurs while reading the data.

commit: b9ebf70a3ab05b0a0c54d488f90763db256881ff [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Fri Jan 26 23:39:38 2007 +0100
committer: Willy Tarreau <w@1wt.eu> Fri Jan 26 23:39:38 2007 +0100
tree: 86ee70837044eba091f5ab3b7bc437040ee518c9
parent: f0d058e8aba2db2034754f02ec70050d69354279 [diff]
diff --git a/src/proto_http.c b/src/proto_http.c
index 5aad97d..c7d91d3 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c

@@ -1018,6 +1018,7 @@
 				buf->data[msg->sov] = ' ';
 			goto http_msg_hdr_l1_sp;
 		}
+		msg->eol = ptr;
 		goto http_msg_complete_header;
 		
 	http_msg_hdr_val:
commit	b9ebf70a3ab05b0a0c54d488f90763db256881ff	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Fri Jan 26 23:39:38 2007 +0100
committer	Willy Tarreau <w@1wt.eu>	Fri Jan 26 23:39:38 2007 +0100
tree	86ee70837044eba091f5ab3b7bc437040ee518c9
parent	f0d058e8aba2db2034754f02ec70050d69354279 [diff]