BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records

trahs chunks are buffers but not allocated from the buffers pool. And the "trash" chunk is static and thread-local. It is two reason to not swap it with a regular buffer allocated from the buffers pool. Unfortunatly, it is exactly what is performed in the FCGI mux when a STDERR record is handled. b_xfer() is used to copy data from the demux buffer to the trash to format the error message. A zeor-copy via a swap may be performed. In this case, this leads to a memory corruption and a crash because, some time later, the demux buffer is released because it is empty. And it is in fact the trash chunk. b_force_xfer() must be used instead. This function forces the copy. This patch must be backported as far as 2.2. For 2.4 and 2.2, b_force_xfer() does not exist. For these versions, the following commit must be backported too: * c7860007cc ("MINOR: buf: Add b_force_xfer() function")
2023-09-11 18:57:39 +02:00 · 2023-09-11 18:57:39 +02:00 · 665703d456
commit 665703d456
parent 1115fc348e
1 changed files with 1 additions and 1 deletions
--- a/src/mux_fcgi.c
+++ b/src/mux_fcgi.c
@ -2363,7 +2363,7 @@ static int fcgi_strm_handle_stderr(struct fcgi_conn *fconn, struct fcgi_strm *fs
 		goto fail; // incomplete record

 	chunk_reset(&trash);
-	ret = b_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
+	ret = b_force_xfer(&trash, dbuf, MIN(b_room(&trash), fconn->drl));
 	if (!ret)
 		goto fail;
 	fconn->drl -= ret;