From: Andrew McDermott Date: Fri, 11 Feb 2022 18:26:49 +0000 (+0000) Subject: BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies X-Git-Tag: archive/raspbian/2.2.9-2+rpi1+deb11u6^2~13 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1a03b7933a347fbcdcd17be4540f50f49a560d7e;p=haproxy.git BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies Origin: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=eb1bdcb7cf6e7bd1690f7dcc6d97de3d79b54cdc Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-0711 Ensure calls to http_find_header() terminate. If a "Set-Cookie2" header is found then the while(1) loop in http_manage_server_side_cookies() will never terminate, resulting in the watchdog firing and the process terminating via SIGABRT. The while(1) loop becomes unbounded because an unmatched call to http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent calls to check for "Set-Cookie2" will now enumerate from the beginning of all the blocks and will once again match on subsequent passes (assuming a match first time around), hence the loop becoming unbounded. This issue was introduced with HTX and this fix should be backported to all versions supporting HTX. Many thanks to Grant Spence (gspence@redhat.com) for working through this issue with me. (cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8) Signed-off-by: Willy Tarreau (cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509) Signed-off-by: Willy Tarreau (cherry picked from commit 86032c309b1f42177826deaa39f7c26903a074ca) Signed-off-by: Christopher Faulet (cherry picked from commit 3cd203d61609fd427234fdb4f793193980860348) Signed-off-by: Christopher Faulet Gbp-Pq: Name 0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch --- diff --git a/src/http_ana.c b/src/http_ana.c index afebf65..54bfc5f 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -3560,7 +3560,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re while (1) { int is_first = 1; - if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { + if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) break; is_cookie2 = 1;