mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-03 23:13:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: config: check capture pool creations for failures

Browse Source 
A few capture pools can fail in case of too large values for example.
These include the req_uri, capture, and caphdr pools, and may be triggered
with "tune.http.logurilen 2147483647" in the global section, or one of
these in a frontend:

  capture request header name len 2147483647
  http-request capture src len 2147483647
  tcp-request content capture src len 2147483647

These seem to be the only occurrences where create_pool()'s return value
is assigned without being checked, so let's add the proper check for
errors there. This can be backported as a hardening measure though the
risks and impacts are extremely low.
This commit is contained in:
Willy Tarreau
2026-01-26 11:13:29 +01:00
parent c267d24f57
commit 4e7c07736a
4 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/cfgparse.c
View File

@@ -2324,6 +2324,12 @@ int check_config_validity()
pool_head_capture = create_pool("capture", global.tune.cookie_len, MEM_F_SHARED);
/* both will have already emitted an error message if needed */
if (!pool_head_requri || !pool_head_capture) {
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
/* Post initialisation of the users and groups lists. */
err_code = userlist_postinit();
if (err_code != ERR_NONE)

6
src/http_act.c
View File

@@ -960,6 +960,12 @@ static enum act_parse_ret parse_http_req_capture(const char **args, int *orig_ar
hdr->namelen = 0;
hdr->len = len;
hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
if (!hdr->pool) {
memprintf(err, "out of memory");
free(hdr);
release_sample_expr(expr);
return ACT_RET_PRS_ERR;
}
hdr->index = px->nb_req_cap++;
px->req_cap = hdr;

5
src/proxy.c
View File

@@ -878,6 +878,11 @@ static int proxy_parse_declare(char **args, int section, struct proxy *curpx,
hdr->namelen = 0;
hdr->len = len;
hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
if (!hdr->pool) {
memprintf(err, "out of memory");
free(hdr);
return -1;
}
if (strcmp(args[2], "request") == 0) {
hdr->next = curpx->req_cap;

6
src/tcp_rules.c
View File

@@ -970,6 +970,12 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type,
hdr->namelen = 0;
hdr->len = len;
hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
if (!hdr->pool) {
memprintf(err, "parsing [%s:%d] : out of memory", file, line);
free(hdr);
release_sample_expr(expr);
return -1;
}
hdr->index = curpx->nb_req_cap++;
curpx->req_cap = hdr;