upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-08 18:36:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

BUG/MEDIUM: jwe: fix memory leak in jwt_decrypt_secret with var argument

Browse source 
When the secret argument to jwt_decrypt_secret is a variable
(ARGT_VAR) rather than a literal string, alloc_trash_chunk() is
called to hold the base64-decoded secret but the buffer is never
released. The end: label frees input, decrypted_cek, out, and the
decoded_items array but not secret.

Each request leaks one trash chunk (~tune.bufsize, default 16KB).
At ~65000 requests per GiB this allows slow memory exhaustion DoS
against any config of the form:

    http-request set-var(txn.x) req.hdr(...),jwt_decrypt_secret(txn.key)

This must be backported as far as JWE support exists.
This commit is contained in:
Greg Kroah-Hartman 2026-04-07 09:48:15 +02:00 committed by William Lallemand
parent 648b0e7bea
commit 5161415653
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/jwe.c
View file

@ -738,6 +738,7 @@ static int sample_conv_jwt_decrypt_secret(const struct arg *args, struct sample
end:
clear_jose_fields(&fields);
free_trash_chunk(input);
free_trash_chunk(secret);
free_trash_chunk(decrypted_cek);
free_trash_chunk(out);
clear_decoded_items(decoded_items);