From 0980912282f20a1db64d7ba0a9a825dfee3cb044 Mon Sep 17 00:00:00 2001

From: Andrew McDermott <aim@frobware.com>

Date: Fri, 11 Feb 2022 18:26:49 +0000

Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in

 http_manage_server_side_cookies

Ensure calls to http_find_header() terminate. If a "Set-Cookie2"

header is found then the while(1) loop in

http_manage_server_side_cookies() will never terminate, resulting in

the watchdog firing and the process terminating via SIGABRT.

The while(1) loop becomes unbounded because an unmatched call to

http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent

calls to check for "Set-Cookie2" will now enumerate from the beginning

of all the blocks and will once again match on subsequent

passes (assuming a match first time around), hence the loop becoming

unbounded.

This issue was introduced with HTX and this fix should be backported

to all versions supporting HTX.

Many thanks to Grant Spence (gspence@redhat.com) for working through

this issue with me.

(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8)

Signed-off-by: Willy Tarreau <w@1wt.eu>

(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509)

Signed-off-by: Willy Tarreau <w@1wt.eu>

---

 src/http_ana.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/http_ana.c b/src/http_ana.c

index 4c765cb39..0f40ab3ab 100644

--- a/src/http_ana.c

+++ b/src/http_ana.c

@@ -3433,7 +3433,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re

 	while (1) {

 		int is_first = 1;

-		if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {

+		if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {

 			if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))

 				break;

 			is_cookie2 = 1;

-- 

2.33.1