Skip to content
Permalink
Browse files Browse the repository at this point in the history
BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_sid…
…e_cookies

Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
header is found then the while(1) loop in
http_manage_server_side_cookies() will never terminate, resulting in
the watchdog firing and the process terminating via SIGABRT.

The while(1) loop becomes unbounded because an unmatched call to
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
calls to check for "Set-Cookie2" will now enumerate from the beginning
of all the blocks and will once again match on subsequent
passes (assuming a match first time around), hence the loop becoming
unbounded.

This issue was introduced with HTX and this fix should be backported
to all versions supporting HTX.

Many thanks to Grant Spence (gspence@redhat.com) for working through
this issue with me.
  • Loading branch information
frobware authored and wtarreau committed Feb 16, 2022
1 parent 1d5fdc5 commit bfb15ab
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/http_ana.c
Expand Up @@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
while (1) {
int is_first = 1;

if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
break;
is_cookie2 = 1;
Expand Down

4 comments on commit bfb15ab

@tcherel
Copy link

@tcherel tcherel commented on bfb15ab Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@frobware @wtarreau any plan to backport this in a stable haproxy release (2.4 or 2.5)?
Thanks.

@capflam
Copy link
Member

@capflam capflam commented on bfb15ab Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix was backported in all affected versions. Last 2.5 and 2.4 releases include it. It is also true for last 2.3 and 2.2 releases. The next 2.0 will ship it too. It will be released this week.

@wtarreau
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tcherel that was done a month ago already (2.4.13 and 2.5.2). If you're running on up-to-date versions (2.4.14 or 2.5.4), you already have it.

@tcherel
Copy link

@tcherel tcherel commented on bfb15ab Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally missed that, sorry.
Thanks a lot.

Please sign in to comment.