From: Youfu Zhang Date: Fri, 9 Dec 2022 19:15:48 +0800 Subject: BUG/MAJOR: fcgi: Fix uninitialized reserved bytes Origin: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=18575ba4e5057afdb80cc06135272889ae1fa2d1 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-0836 The output buffer is not zero-initialized. If we don't clear reserved bytes, fcgi requests sent to backend will leak sensitive data. This patch must be backported as far as 2.2. (cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8) Signed-off-by: Christopher Faulet (cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b) Signed-off-by: Christopher Faulet (cherry picked from commit f988992d16f45ef03d5bbb024a1042ed8123e4c5) Signed-off-by: Christopher Faulet (cherry picked from commit 0dc4cdc276d4a0e3347b7c3c4aedca2a2e0ab428) Signed-off-by: Christopher Faulet (cherry picked from commit 0c86fce8028d409de4181e82eec967cfb1e6268e) Signed-off-by: Christopher Faulet --- src/fcgi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/fcgi.c b/src/fcgi.c index 1c2543def6b0..778ce9e25cd9 100644 --- a/src/fcgi.c +++ b/src/fcgi.c @@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h) out->area[len++] = ((h->len >> 8) & 0xff); out->area[len++] = (h->len & 0xff); out->area[len++] = h->padding; - len++; /* rsv */ + out->area[len++] = 0; /* rsv */ out->data = len; return 1; @@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques out->area[len++] = ((r->role >> 8) & 0xff); out->area[len++] = (r->role & 0xff); out->area[len++] = r->flags; - len += 5; /* rsv */ + out->area[len++] = 0; /* rsv */ + out->area[len++] = 0; + out->area[len++] = 0; + out->area[len++] = 0; + out->area[len++] = 0; out->data = len; return 1; -- 2.40.0