New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash (SEGV) in http_wait_for_response in 2.2.19, 2.2.24, and 2.2.26 because sl (start line) variable is NULL. #1972
Comments
I'll wait for your config because at first glance, the only way to make it possible is to have a 1XX messages not properly handled. |
Are there other variables from the core file that I could expand/print/display/deref that would help at all? |
Well, it could be useful to know the response origin. In your trace, in You can try to get the backend name (
|
AFAIK, I cannot make calls in gdb because I am not attached to any process. I only have the core dump.
|
Thanks. So the response was sent from a server. Do you know if it is a H1, H2 or FCGI server ? |
I don't - no reproducer and no access logs, and currently no matching config file associated with the core file. If I walk up the stack and inspect other variables can I infer/deduce the server type? |
Is there |
You can try that: |
|
ok, it is a H2 response. I must check the code. But it don't know if a 1XX HEADER frame with a end-stream flag is valid in H2. And how the H2 multiplexer handle this case if it happens. Thanks. I'm digging ... |
So indeed, it is invalid and should be rejected.
But it seems the code does not test this case. I will check tomorrow with @wtarreau to be sure. If I'm right, it will be fixed. Thanks again for your help ! |
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue #1972. It should be backported as far as 2.0.
Ok, I pushed the fix. It will be backported as usual. Thanks. Note that this issue reveals a bug with your server that should be fixed. |
Many thanks for the super quick fix! |
This vulnerability is being tracked as CVE-2023-0056. |
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu>
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit ebfae00) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 84f5cba) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit f5748a9) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 2c681c6) [cf: ctx adjustment] Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit ebfae00) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 84f5cba) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit f5748a9) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 2c681c6) [cf: ctx adjustment] Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 038a7e8) [cf: ctx adjustment] Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit ebfae00) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 84f5cba) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit ebfae00) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an informational status code is malformed. However, there is no test on this condition. On 2.4 and higher, it is hard to predict consequences of this bug because end of the message is only reported with a flag. But on 2.2 and lower, it leads to a crash because there is an unexpected extra EOM block at the end of an interim response. Now, when a ES flag is detected on a HEADERS frame for an interim message, a stream error is sent (RST_STREAM/PROTOCOL_ERROR). This patch should solve the issue haproxy#1972. It should be backported as far as 2.0. (cherry picked from commit 827a629) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit ebfae00) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 84f5cba) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit f5748a9) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Detailed Description of the Problem
haproxy faults / crashes in http_wait_for_response() because the variable
sl
is NULL, after callingsl = http_get_stline(htx);
.I have 3 core dumps from 2.2.19, 2 core dumps from 2.2.24 and 1 core dump from 2.2.26 -- each faulting in the same way.
Expected Behavior
No crash; the call to
sl = http_get_stline(htx);
should check for NULL and return early.Steps to Reproduce the Behavior
I do not have a reproducer; this was reported by a customer and it is occuring a few times a day with any of 2.2.19, 2.2.24, and 2.2.26.
Do you have any idea what may have caused this?
It looks like
sl
is NULL because the underlying htx_blk is of typeHTX_BLK_EOM
.And to decode info we would call htx_get_blk_type()
Do you have an idea how to solve the issue?
Handle the case where the call to
sl = http_get_stline(htx);
is NULL and return/retry.What is your configuration?
Output of
haproxy -vv
Last Outputs and Backtraces
Additional Information
The build of haproxy has been augmented with
-g -ggdb3 -O0 -fno-omit-frame-pointer
.The text was updated successfully, but these errors were encountered: