Re: [BUG] Configuration parser bug when escaping characters

From: Willy Tarreau <w#1wt.eu>
Date: Wed, 2 Dec 2009 23:12:50 +0100


Hi Cyril,

On Mon, Nov 30, 2009 at 07:19:00PM +0100, Cyril Bonté wrote:
> Hello Willy,
>
> Today I was testing headers manipulation but I met a bug with my first test.
> To reproduce it, add for example this line :
>
> rspadd Cache-Control:\ max-age=1500
>
> Check the response header, it will provide :
>
> Cache-Control: max-age=15000 <= the last character is duplicated

This looks crazy !

> This is not due to rspadd but to a more general bug in cfgparse.c :
> ...
> if (skip) {
> memmove(line + 1, line + 1 + skip, end - (line + skip + 1));
> end -= skip;
> }
> ...
>
> should be :
> ...
> if (skip) {
> memmove(line + 1, line + 1 + skip, end - (line + skip));
> end -= skip;
> }
> ...

So I guess "end" points to the '\0' at the end. I'll have to check, it's possible that other features are affected as well (rspirep, ACLs, etc...). I find it particularly amazing that you're the first to observe this, considering how old those parts are !

> I've reproduced it with haproxy 1.3.22 and the last 1.4 snapshot.

OK, will review all similar code then :-/

Thanks very much for the report and analysis ! Willy Received on 2009/12/02 23:12

This archive was generated by hypermail 2.2.0 : 2009/12/02 23:15 CET