mirror of
https://github.com/haproxy/haproxy.git
synced 2026-03-27 04:43:37 -04:00
c600204ddf
Currently exp_replace() (which is used in reqrep/reqirep) is vulnerable to a buffer overrun. I have been able to reproduce it using the attached configuration file and issuing the following command: wget -O - -S -q http://localhost:8000/`perl -e 'print "a"x4000'`/cookie.php Str was being checked only in in while (str) and it was possible to read past that when more than one character was being accessed in the loop. WT: Note that this bug is only marked MEDIUM because configurations capable of triggering this bug are very unlikely to exist at all due to the fact that most rewrites consist in static string additions that largely fit into the reserved area (8kB by default). This fix should also be backported to 1.4 and possibly even 1.3 since it seems to have been present since 1.1 or so. Config: ------- global maxconn 500 stats socket /tmp/haproxy.sock mode 600 defaults timeout client 1000 timeout connect 5000 timeout server 5000 retries 1 option redispatch listen stats bind :8080 mode http stats enable stats uri /stats stats show-legends listen tcp_1 bind :8000 mode http maxconn 400 balance roundrobin reqrep ^([^\ :]*)\ /(.*)/(.*)\.php(.*) \1\ /\3.php?arg=\2\2\2\2\2\2\2\2\2\2\2\2\2\4 server srv1 127.0.0.1:9000 check port 9000 inter 1000 fall 1 server srv2 127.0.0.1:9001 check port 9001 inter 1000 fall 1 |
||
|---|---|---|
| .. | ||
| accept4.h | ||
| appsession.h | ||
| base64.h | ||
| buffer.h | ||
| cfgparse.h | ||
| chunk.h | ||
| compat.h | ||
| compiler.h | ||
| config.h | ||
| debug.h | ||
| defaults.h | ||
| epoll.h | ||
| errors.h | ||
| hash.h | ||
| memory.h | ||
| mini-clist.h | ||
| rbtree.h | ||
| regex.h | ||
| sessionhash.h | ||
| splice.h | ||
| standard.h | ||
| syscall.h | ||
| template.h | ||
| ticks.h | ||
| time.h | ||
| tools.h | ||
| uri_auth.h | ||
| version.h | ||