BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a delimiter
When client-side or server-side cookies are parsed, HAProxy enters in an
infinite loop if a Cookie/Set-Cookie header value starts by a delimiter (a colon
or a semicolon). Depending on the operating system, the service may become
degraded, unresponsive, or may trigger haproxy's watchdog causing a service stop
or automatic restart.
To fix this bug, in the loop parsing the attributes, we must be sure to always
skip delimiters once the first attribute-value pair was parsed, empty or
not. The credit for the fix goes to Olivier.
CVE-2019-14241 was assigned to this bug. This patch fixes the Github issue #181.
This patch must be backported to 2.0 and 1.9. However, the patch will have to be
adapted.
(cherry picked from commit f0f42389772b2303b162e929449a36b33e181c5f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/proto_htx.c b/src/proto_htx.c
index 2824df0..75794fb 100644
--- a/src/proto_htx.c
+++ b/src/proto_htx.c
@@ -3955,6 +3955,7 @@
htx = htxbuf(&req->buf);
ctx.blk = NULL;
while (http_find_header(htx, ist("Cookie"), &ctx, 1)) {
+ int is_first = 1;
del_from = NULL; /* nothing to be deleted */
preserve_hdr = 0; /* assume we may kill the whole header */
@@ -4012,8 +4013,9 @@
/* find att_beg */
att_beg = prev;
- if (prev > hdr_beg)
+ if (!is_first)
att_beg++;
+ is_first = 0;
while (att_beg < hdr_end && HTTP_IS_SPHT(*att_beg))
att_beg++;
@@ -4355,6 +4357,8 @@
ctx.blk = NULL;
while (1) {
+ int is_first = 1;
+
if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
break;
@@ -4418,8 +4422,9 @@
/* find att_beg */
att_beg = prev;
- if (prev > hdr_beg)
+ if (!is_first)
att_beg++;
+ is_first = 0;
while (att_beg < hdr_end && HTTP_IS_SPHT(*att_beg))
att_beg++;