gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MAJOR: fcgi: Fix uninitialized reserved bytes

Browse Source 
The output buffer is not zero-initialized. If we don't clear reserved
bytes, fcgi requests sent to backend will leak sensitive data.

This patch must be backported as far as 2.2.

(cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This commit is contained in:
Youfu Zhang 2022-12-09 19:15:48 +08:00 committed by Christopher Faulet
parent 02495c9e7d
commit f988992d16
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/fcgi.c
View File

@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
out->area[len++] = ((h->len >> 8) & 0xff);
out->area[len++] = (h->len & 0xff);
out->area[len++] = h->padding;
len++; /* rsv */
out->area[len++] = 0; /* rsv */
out->data = len;
return 1;
@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
out->area[len++] = ((r->role >> 8) & 0xff);
out->area[len++] = (r->role & 0xff);
out->area[len++] = r->flags;
len += 5; /* rsv */
out->area[len++] = 0; /* rsv */
out->area[len++] = 0;
out->area[len++] = 0;
out->area[len++] = 0;
out->area[len++] = 0;
out->data = len;
return 1;