From 11389018bc92bf7b94533e682af5cb4bbf0e43d9 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 7 Feb 2019 16:13:26 +0100 Subject: [PATCH] BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck During SPOP healthchecks, a dummy appctx is used to create the HAPROXY-HELLO frame and then to parse the AGENT-HELLO frame. No agent are attached to it. So it is important to not rely on an agent during these stages. When HAPROXY-HELLO frame is created, there is no problem, all accesses to an agent are guarded. This is not true during the parsing of the AGENT-HELLO frame. Thus, it is possible to crash HAProxy with a SPOA declaring the async or the pipelining capability during a healthcheck. This patch must be backported to 1.9 and 1.8. --- src/flt_spoe.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 0f7a21ae3..1a1194fa6 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -825,10 +825,14 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size) SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_NO_FRAME_SIZE; return -1; } - if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) - flags &= ~SPOE_APPCTX_FL_PIPELINING; - if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) - flags &= ~SPOE_APPCTX_FL_ASYNC; + if (!agent) + flags &= ~(SPOE_APPCTX_FL_PIPELINING|SPOE_APPCTX_FL_ASYNC); + else { + if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) + flags &= ~SPOE_APPCTX_FL_PIPELINING; + if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) + flags &= ~SPOE_APPCTX_FL_ASYNC; + } SPOE_APPCTX(appctx)->version = (unsigned int)vsn; SPOE_APPCTX(appctx)->max_frame_size = (unsigned int)max_frame_size;