Package: haproxy / 1.5.8-3+deb8u2

from-upstream/0005-BUG-MEDIUM-connection-sanitize-PPv2-header-length-be.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
From 86664f6de45d2c1c48bd4b9db7aa5c0de4354325 Mon Sep 17 00:00:00 2001
From: KOVACS Krisztian <hidden@balabit.com>
Date: Wed, 19 Nov 2014 10:53:20 +0100
Subject: [PATCH 5/9] BUG/MEDIUM: connection: sanitize PPv2 header length
 before parsing address information

Previously, if hdr_v2->len was less than the length of the protocol
specific address information we could have read after the end of the
buffer and initialize the sockaddr structure with junk.

Signed-off-by: KOVACS Krisztian <hidden@balabit.com>

[WT: this is only tagged medium since proxy protocol is only used from
 trusted sources]

This must be backported to 1.5.
(cherry picked from commit efd3aa93412648cf923bf3d2e171c0b84e9d7a69)
---
 src/connection.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/connection.c b/src/connection.c
index 3af6d9afd7e9..b9f5c42b44e6 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -424,6 +424,9 @@ int conn_recv_proxy(struct connection *conn, int flag)
 	case 0x01: /* PROXY command */
 		switch (hdr_v2->fam) {
 		case 0x11:  /* TCPv4 */
+			if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET)
+				goto bad_header;
+
 			((struct sockaddr_in *)&conn->addr.from)->sin_family = AF_INET;
 			((struct sockaddr_in *)&conn->addr.from)->sin_addr.s_addr = hdr_v2->addr.ip4.src_addr;
 			((struct sockaddr_in *)&conn->addr.from)->sin_port = hdr_v2->addr.ip4.src_port;
@@ -433,6 +436,9 @@ int conn_recv_proxy(struct connection *conn, int flag)
 			conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET;
 			break;
 		case 0x21:  /* TCPv6 */
+			if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET6)
+				goto bad_header;
+
 			((struct sockaddr_in6 *)&conn->addr.from)->sin6_family = AF_INET6;
 			memcpy(&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr, hdr_v2->addr.ip6.src_addr, 16);
 			((struct sockaddr_in6 *)&conn->addr.from)->sin6_port = hdr_v2->addr.ip6.src_port;
-- 
2.1.3