Re: [PATCH] BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers

2016-03-29 Thread Willy Tarreau 
On Tue, Mar 29, 2016 at 01:14:30PM +0200, Nenad Merdanovic wrote:
> Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still
> happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY
> headers.
> 
> This fix needs to be backported to 1.5 and 1.6.

Thanks Nenad for finding this one and sorry for having missed it in the
aforementionned fix. I've backported it to 1.5 and 1.6 as suggested.

Willy

[PATCH] BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers

2016-03-29 Thread Nenad Merdanovic 
Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still
happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY
headers.

This fix needs to be backported to 1.5 and 1.6.

Signed-off-by: Nenad Merdanovic 
---
 src/proto_http.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/proto_http.c b/src/proto_http.c
index b7654a6..7abe493 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8537,10 +8537,13 @@ unsigned int http_get_fhdr(const struct http_msg *msg, 
const char *hname, int hl
}
if (-occ > found)
return 0;
+
/* OK now we have the last occurrence in [hist_ptr-1], and we need to
-* find occurrence -occ, so we have to check [hist_ptr+occ].
+* find occurrence -occ. 0 <= hist_ptr < MAX_HDR_HISTORY, and we have
+* -10 <= occ <= -1. So we have to check [hist_ptr%MAX_HDR_HISTORY+occ]
+* to remain in the 0..9 range.
 */
-   hist_ptr += occ;
+   hist_ptr += occ + MAX_HDR_HISTORY;
if (hist_ptr >= MAX_HDR_HISTORY)
hist_ptr -= MAX_HDR_HISTORY;
*vptr = ptr_hist[hist_ptr];
-- 
2.7.0