https://redmine.lighttpd.net/
https://redmine.lighttpd.net/favicon.ico?1366732741
2018-03-21T06:03:41Z
lighty labs
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11392
2018-03-21T06:03:41Z
gstrauss
<ul></ul><p>ick! I see a few bugs in http_header_remap_setcookie() but things will have to wait until tomorrow evening for me to have more time to work on a proper fix.</p>
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11393
2018-03-21T06:04:46Z
gstrauss
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li><li><strong>Target version</strong> changed from <i>1.4.x</i> to <i>1.4.50</i></li></ul>
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11394
2018-03-21T07:03:13Z
gstrauss
<ul></ul><p><strong>!! Not tested !!</strong><br /><pre>
--- a/src/mod_proxy.c
+++ b/src/mod_proxy.c
@@ -341,7 +341,7 @@ static size_t http_header_remap_host (buffer *b, size_t off, http_header_remap_o
/* (future: might move to http-header-glue.c) */
-static void http_header_remap_urlpath (buffer *b, size_t off, http_header_remap_opts *remap_hdrs, int is_req)
+static size_t http_header_remap_urlpath (buffer *b, size_t off, http_header_remap_opts *remap_hdrs, int is_req)
{
const array *urlpaths = remap_hdrs->urlpaths;
if (urlpaths) {
@@ -355,7 +355,7 @@ static void http_header_remap_urlpath (buffer *b, size_t off, http_header_remap_
if (NULL == remap_hdrs->forwarded_urlpath)
remap_hdrs->forwarded_urlpath = ds;
buffer_substr_replace(b, off, mlen, ds->value);
- break;
+ return buffer_string_length(ds->value);/*(replacement len)*/
}
}
}
@@ -365,7 +365,7 @@ static void http_header_remap_urlpath (buffer *b, size_t off, http_header_remap_
const size_t mlen = buffer_string_length(ds->value);
if (mlen <= plen && 0 == memcmp(s, ds->value->ptr, mlen)) {
buffer_substr_replace(b, off, mlen, ds->key);
- return;
+ return buffer_string_length(ds->key); /*(replacement len)*/
}
}
for (size_t i = 0, used = urlpaths->used; i < used; ++i) {
@@ -373,11 +373,12 @@ static void http_header_remap_urlpath (buffer *b, size_t off, http_header_remap_
const size_t mlen = buffer_string_length(ds->value);
if (mlen <= plen && 0 == memcmp(s, ds->value->ptr, mlen)) {
buffer_substr_replace(b, off, mlen, ds->key);
- break;
+ return buffer_string_length(ds->key); /*(replacement len)*/
}
}
}
}
+ return 0;
}
@@ -443,22 +444,22 @@ static void http_header_remap_setcookie (buffer *b, size_t off, http_header_rema
* entire string in b from offset to end of string. In response headers,
* lighttpd may concatenate multiple Set-Cookie headers into single entry
* in con->response.headers, separated by "\r\nSet-Cookie: " */
- for (char *s, *n = b->ptr+off; (s = n); ) {
+ for (char *s = b->ptr+off, *e; *s; s = e) {
size_t len;
- n = strchr(s, '\n');
- if (NULL == n) {
- len = (size_t)(b->ptr + buffer_string_length(b) - s);
- }
- else {
- len = (size_t)(n - s);
- n += sizeof("Set-Cookie: "); /*(include +1 for '\n')*/
- }
- for (char *e = s; NULL != (s = memchr(e, ';', len)); ) {
+ {
+ while (*s != ';' && *s != '\n' && *s != '\0') ++s;
+ if (*s == '\n') {
+ /*(include +1 for '\n', but leave ' ' for ++s below)*/
+ s += sizeof("Set-Cookie:");
+ }
+ if ('\0' == *s) return;
do { ++s; } while (*s == ' ' || *s == '\t');
if ('\0' == *s) return;
+ e = s+1;
+ if ('=' == *s) continue;
/*(interested only in Domain and Path attributes)*/
- e = memchr(s, '=', len - (size_t)(s - e));
- if (NULL == e) { e = s+1; continue; }
+ while (*e != '=' && *e != '\0') ++e;
+ if ('\0' == *e) return;
++e;
switch ((int)(e - s - 1)) {
case 4:
@@ -466,8 +467,8 @@ static void http_header_remap_setcookie (buffer *b, size_t off, http_header_rema
if (*e == '"') ++e;
if (*e != '/') continue;
off = (size_t)(e - b->ptr);
- http_header_remap_urlpath(b, off, remap_hdrs, 0);
- e = b->ptr+off; /*(b may have been reallocated)*/
+ len = http_header_remap_urlpath(b, off, remap_hdrs, 0);
+ e = b->ptr+off+len; /*(b may have been reallocated)*/
continue;
}
break;
</pre></p>
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11395
2018-03-21T21:05:40Z
ganto
<ul></ul><p>Nice, job. With this patch the segfaults cannot be reproduced anymore.</p>
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11397
2018-03-22T04:24:42Z
gstrauss
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Patch Pending</i></li><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul><p>Would have been nicer if I had gotten it right the first time. :/</p>
<p>Thank you for reporting the issue and testing the patch.</p>
Lighttpd - Bug #2879: Segfault with proxy-header map-urlpath
https://redmine.lighttpd.net/issues/2879?journal_id=11398
2018-03-22T04:35:06Z
gstrauss
<ul><li><strong>Status</strong> changed from <i>Patch Pending</i> to <i>Fixed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="[mod_proxy] fix segfault in Set-Cookie reverse map (fixes #2879) fix segfault in reverse url-pat..." href="https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/26fb8d3ee635fb0f2b2f89a766a2ee1f41f6eb46">26fb8d3ee635fb0f2b2f89a766a2ee1f41f6eb46</a>.</p>