[BUG] Fix NULL pointer dereference in stats_check_uri_auth(), v2

Recent "struct chunk rework" introduced a NULL pointer dereference and now haproxy segfaults if auth is required for stats but not found. The reason is that size_t cannot store negative values, but current code assumes that "len < 0" == uninitialized. This patch fixes it.
2009-10-04 23:34:15 +02:00 · 2009-10-04 23:34:15 +02:00 · 6f61b21524
commit 6f61b21524
parent ac68c5d92c
3 changed files with 4 additions and 5 deletions
--- a/include/proto/buffers.h
+++ b/include/proto/buffers.h
@ -439,9 +439,9 @@ static inline void chunk_init(struct chunk *chk, char *str, size_t size) {
 }

 /* report 0 in case of error, 1 if OK. */
-static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, size_t len) {
+static inline int chunk_initlen(struct chunk *chk, char *str, size_t size, int len) {

-	if (len > size)
+	if (size && len > size)
 		return 0;

 	chk->str  = str;
--- a/include/types/buffers.h
+++ b/include/types/buffers.h
@ -149,7 +149,7 @@
 struct chunk {
 	char *str;	/* beginning of the string itself. Might not be 0-terminated */
 	size_t size;	/* total size of the buffer, 0 if the *str is read-only */
-	size_t len;	/* current size of the string from first to last char. <0 = uninit. */
+	int len;	/* current size of the string from first to last char. <0 = uninit. */
 };

 /* needed for a declaration below */
--- a/src/proto_http.c
+++ b/src/proto_http.c
@ -4596,8 +4596,7 @@ int stats_check_uri_auth(struct session *t, struct proxy *backend)
 			int len = txn->hdr_idx.v[cur_idx].len;
 			if (len > 14 &&
 			    !strncasecmp("Authorization:", h, 14)) {
-				txn->auth_hdr.str = h;
-				txn->auth_hdr.len = len;
+				chunk_initlen(&txn->auth_hdr, h, 0, len);
 				break;
 			}
 			h += len + txn->hdr_idx.v[cur_idx].cr + 1;