49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001
|
|
From: Andrew McDermott <aim@frobware.com>
|
|
Date: Fri, 11 Feb 2022 18:26:49 +0000
|
|
Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
|
|
http_manage_server_side_cookies
|
|
|
|
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
|
|
header is found then the while(1) loop in
|
|
http_manage_server_side_cookies() will never terminate, resulting in
|
|
the watchdog firing and the process terminating via SIGABRT.
|
|
|
|
The while(1) loop becomes unbounded because an unmatched call to
|
|
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
|
|
calls to check for "Set-Cookie2" will now enumerate from the beginning
|
|
of all the blocks and will once again match on subsequent
|
|
passes (assuming a match first time around), hence the loop becoming
|
|
unbounded.
|
|
|
|
This issue was introduced with HTX and this fix should be backported
|
|
to all versions supporting HTX.
|
|
|
|
Many thanks to Grant Spence (gspence@redhat.com) for working through
|
|
this issue with me.
|
|
|
|
(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8)
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509)
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
---
|
|
src/http_ana.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/http_ana.c b/src/http_ana.c
|
|
index 4c765cb39..0f40ab3ab 100644
|
|
--- a/src/http_ana.c
|
|
+++ b/src/http_ana.c
|
|
@@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
|
|
while (1) {
|
|
int is_first = 1;
|
|
|
|
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
|
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
|
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
|
|
break;
|
|
is_cookie2 = 1;
|
|
--
|
|
2.33.1
|
|
|