Re: [PATCH] [BUG] Fix NULL pointer dereference in stats_check_uri_auth()

On Sun, 4 Oct 2009, Krzysztof Piotr Oledzki wrote:

> From fc217df5d282cfbc275f3eff286885aae0a0e117 Mon Sep 17 00:00:00 2001
> From: Krzysztof Piotr Oledzki <ole#ans.pl>
> Date: Sun, 4 Oct 2009 23:00:16 +0200
> Subject: [BUG] Fix NULL pointer dereference in stats_check_uri_auth()
>
> Recent "struct chunk rework" exposed a NULL pointer dereference:
> txn->auth_hdr is used even if it was not initialized and now
> haproxy segfaults if auth is required for stats but not found.
>
> This patch fixes it.
> ---
> src/proto_http.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/src/proto_http.c b/src/proto_http.c
> index 6cd0b40..a73a580 100644
> --- a/src/proto_http.c
> +++ b/src/proto_http.c
> @@ -4563,7 +4563,7 @@ int stats_check_uri_auth(struct session *t, struct proxy *backend)
> struct http_txn *txn = &t->txn;
> struct uri_auth *uri_auth = backend->uri_auth;
> struct user_auth *user;
> - int authenticated, cur_idx;
> + int authenticated, cur_idx, found = 0;
> char *h;
>
> memset(&t->data_ctx.stats, 0, sizeof(t->data_ctx.stats));
> @@ -4632,12 +4632,13 @@ int stats_check_uri_auth(struct session *t, struct proxy *backend)
> !strncasecmp("Authorization:", h, 14)) {
> txn->auth_hdr.str = h;
> txn->auth_hdr.len = len;
> + found++;
> break;
> }
> h += len + txn->hdr_idx.v[cur_idx].cr + 1;
> }
>
> - if (txn->auth_hdr.len < 21 ||
> + if (!found || txn->auth_hdr.len < 21 ||
> memcmp(txn->auth_hdr.str + 14, " Basic ", 7))
> user = NULL;

Please hold, "txn->auth_hdr.len < 21" should handle it - the bug is probably in a different place.

Best regards,

                         Krzysztof Olêdzki Received on 2009/10/04 23:18