diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index dc254bc709..52ce9f052c 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.5.8 -PKG_RELEASE:=06 +PKG_VERSION:=1.5.9 +PKG_RELEASE:=02 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) -PKG_MD5SUM:=7bffa1afa069d90ce03b7cd9aa0557cd +PKG_MD5SUM:=b7672bb6a8aa188a655b418f3c96f65c PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=GPL-2.0 diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch b/net/haproxy/patches/0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch new file mode 100644 index 0000000000..c21234fad1 --- /dev/null +++ b/net/haproxy/patches/0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch @@ -0,0 +1,34 @@ +From bad3c6f1b6d776e5d9951a3b3054b4dce8922c54 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Wed, 26 Nov 2014 13:17:03 +0100 +Subject: [PATCH 1/2] BUG/MEDIUM: patterns: previous fix was incomplete + +Dmitry Sivachenko reported that commit 315ec42 +("BUG/MEDIUM: pattern: don't load more than once a pattern list.") +relies on an uninitialised variable in the stack. While it used to +work fine during the tests, if the uninitialized variable is non-null, +some patterns may be aggregated if loaded multiple times, resulting in +slower processing, which was the original issue it tried to address. + +The fix needs to be backported to 1.5. +(cherry picked from commit 4deaf39243c4d941998b1b0175bad05b8a287c0b) +--- + src/pattern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pattern.c b/src/pattern.c +index 20547f9..208e33a 100644 +--- a/src/pattern.c ++++ b/src/pattern.c +@@ -2096,7 +2096,7 @@ int pattern_read_from_file(struct pattern_head *head, unsigned int refflags, + struct pat_ref *ref; + struct pattern_expr *expr; + struct pat_ref_elt *elt; +- int reuse; ++ int reuse = 0; + + /* Lookup for the existing reference. */ + ref = pat_ref_lookup(filename); +-- +2.0.4 + diff --git a/net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch b/net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch deleted file mode 100644 index 27a41ce77a..0000000000 --- a/net/haproxy/patches/0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 184422d39df1aa27e6ef4c1ae75177489147ec99 Mon Sep 17 00:00:00 2001 -From: Arcadiy Ivanov -Date: Tue, 4 Nov 2014 07:06:13 -0500 -Subject: [PATCH 1/6] BUILD: fix "make install" to support spaces in the - install dirs - -Makefile is unable to install into directories containing spaces. -(cherry picked from commit 3785311e64792787de78370fa126fd806734f7fe) ---- - Makefile | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/Makefile b/Makefile -index 707037b..9556069 100644 ---- a/Makefile -+++ b/Makefile -@@ -710,19 +710,19 @@ src/dlmalloc.o: $(DLMALLOC_SRC) - $(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $< - - install-man: -- install -d $(DESTDIR)$(MANDIR)/man1 -- install -m 644 doc/haproxy.1 $(DESTDIR)$(MANDIR)/man1 -+ install -d "$(DESTDIR)$(MANDIR)"/man1 -+ install -m 644 doc/haproxy.1 "$(DESTDIR)$(MANDIR)"/man1 - - install-doc: -- install -d $(DESTDIR)$(DOCDIR) -+ install -d "$(DESTDIR)$(DOCDIR)" - for x in configuration architecture haproxy-en haproxy-fr; do \ -- install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \ -+ install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \ - done - - install-bin: haproxy haproxy-systemd-wrapper -- install -d $(DESTDIR)$(SBINDIR) -- install haproxy $(DESTDIR)$(SBINDIR) -- install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR) -+ install -d "$(DESTDIR)$(SBINDIR)" -+ install haproxy "$(DESTDIR)$(SBINDIR)" -+ install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)" - - install: install-bin install-man install-doc - --- -2.0.4 - diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch b/net/haproxy/patches/0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch new file mode 100644 index 0000000000..d2161ef8f3 --- /dev/null +++ b/net/haproxy/patches/0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch @@ -0,0 +1,49 @@ +From 1e89acb6be9ba6400fe4defd3b6b2cc94c6667d9 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Wed, 26 Nov 2014 13:24:24 +0100 +Subject: [PATCH 2/2] BUG/MEDIUM: payload: ensure that a request channel is + available + +Denys Fedoryshchenko reported a segfault when using certain +sample fetch functions in the "tcp-request connection" rulesets +despite the warnings. This is because some tests for the existence +of the channel were missing. + +The fetches which were fixed are : + - req.ssl_hello_type + - rep.ssl_hello_type + - req.ssl_sni + +This fix must be backported to 1.5. +(cherry picked from commit 83f2592bcd2e186beeabcba16be16faaab82bd39) +--- + src/payload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/payload.c b/src/payload.c +index 4057f6f..f62163c 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -72,6 +72,9 @@ smp_fetch_ssl_hello_type(struct proxy *px, struct session *s, void *l7, unsigned + + chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req; + ++ if (!chn) ++ goto not_ssl_hello; ++ + bleft = chn->buf->i; + data = (const unsigned char *)chn->buf->p; + +@@ -276,6 +279,9 @@ smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned + + chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req; + ++ if (!chn) ++ goto not_ssl_hello; ++ + bleft = chn->buf->i; + data = (unsigned char *)chn->buf->p; + +-- +2.0.4 + diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch b/net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch deleted file mode 100644 index 33f35b3cf8..0000000000 --- a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 90951497008967f10ba8f9927b53c6e6bc138540 Mon Sep 17 00:00:00 2001 -From: Emeric Brun -Date: Wed, 12 Nov 2014 17:35:37 +0100 -Subject: [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause - segfault in case of OOM. - -Some SSL context's init functions errors were not handled and -can cause a segfault due to an incomplete SSL context -initialization. - -This fix must be backported to 1.5. -(cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963) ---- - src/ssl_sock.c | 44 ++++++++++++++++++++++++++++++++++---------- - 1 file changed, 34 insertions(+), 10 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index f8bfbe7..620609f 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn) - return -1; - } - -- SSL_set_connect_state(conn->xprt_ctx); -- if (objt_server(conn->target)->ssl_ctx.reused_sess) -- SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess); -- - /* set fd on SSL session context */ -- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd); -+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { -+ SSL_free(conn->xprt_ctx); -+ conn->xprt_ctx = NULL; -+ conn->err_code = CO_ER_SSL_NO_MEM; -+ return -1; -+ } - - /* set connection pointer */ -- SSL_set_app_data(conn->xprt_ctx, conn); -+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) { -+ SSL_free(conn->xprt_ctx); -+ conn->xprt_ctx = NULL; -+ conn->err_code = CO_ER_SSL_NO_MEM; -+ return -1; -+ } -+ -+ SSL_set_connect_state(conn->xprt_ctx); -+ if (objt_server(conn->target)->ssl_ctx.reused_sess) { -+ if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) { -+ SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess); -+ objt_server(conn->target)->ssl_ctx.reused_sess = NULL; -+ } -+ } - - /* leave init state and start handshake */ - conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; -@@ -2065,13 +2079,23 @@ static int ssl_sock_init(struct connection *conn) - return -1; - } - -- SSL_set_accept_state(conn->xprt_ctx); -- - /* set fd on SSL session context */ -- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd); -+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { -+ SSL_free(conn->xprt_ctx); -+ conn->xprt_ctx = NULL; -+ conn->err_code = CO_ER_SSL_NO_MEM; -+ return -1; -+ } - - /* set connection pointer */ -- SSL_set_app_data(conn->xprt_ctx, conn); -+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) { -+ SSL_free(conn->xprt_ctx); -+ conn->xprt_ctx = NULL; -+ conn->err_code = CO_ER_SSL_NO_MEM; -+ return -1; -+ } -+ -+ SSL_set_accept_state(conn->xprt_ctx); - - /* leave init state and start handshake */ - conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; --- -2.0.4 - diff --git a/net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch b/net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch deleted file mode 100644 index 422471dd2c..0000000000 --- a/net/haproxy/patches/0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Thu, 13 Nov 2014 13:48:58 +0100 -Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory - shortage - -When memory becomes scarce and openssl refuses to allocate a new SSL -session, it is worth freeing the pools and trying again instead of -rejecting all incoming SSL connection. This can happen when some -memory usage limits have been assigned to the haproxy process using --m or with ulimit -m/-v. - -This is mostly an enhancement of previous fix and is worth backporting -to 1.5. -(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55) ---- - src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 620609f..f50efe5 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn) - /* If it is in client mode initiate SSL session - in connect state otherwise accept state */ - if (objt_server(conn->target)) { -+ int may_retry = 1; -+ -+ retry_connect: - /* Alloc a new SSL session ctx */ - conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx); - if (!conn->xprt_ctx) { -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_connect; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } -@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn) - if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { - SSL_free(conn->xprt_ctx); - conn->xprt_ctx = NULL; -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_connect; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } -@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn) - if (!SSL_set_app_data(conn->xprt_ctx, conn)) { - SSL_free(conn->xprt_ctx); - conn->xprt_ctx = NULL; -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_connect; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } -@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn) - return 0; - } - else if (objt_listener(conn->target)) { -+ int may_retry = 1; -+ -+ retry_accept: - /* Alloc a new SSL session ctx */ - conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx); - if (!conn->xprt_ctx) { -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_accept; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } -@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn) - if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) { - SSL_free(conn->xprt_ctx); - conn->xprt_ctx = NULL; -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_accept; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } -@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn) - if (!SSL_set_app_data(conn->xprt_ctx, conn)) { - SSL_free(conn->xprt_ctx); - conn->xprt_ctx = NULL; -+ if (may_retry--) { -+ pool_gc2(); -+ goto retry_accept; -+ } - conn->err_code = CO_ER_SSL_NO_MEM; - return -1; - } --- -2.0.4 - diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch b/net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch deleted file mode 100644 index 7a741fbbb5..0000000000 --- a/net/haproxy/patches/0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Cyril=20Bont=C3=A9?= -Date: Sat, 15 Nov 2014 22:41:27 +0100 -Subject: [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks - and ssl healthchecks - -Lasse Birnbaum Jensen reported an issue when agent checks are used at the same -time as standard healthchecks when SSL is enabled on the server side. - -The symptom is that agent checks try to communicate in SSL while it should -manage raw data. This happens because the transport layer is shared between all -kind of checks. - -To fix the issue, the transport layer is now stored in each check type, -allowing to use SSL healthchecks when required, while an agent check should -always use the raw_sock implementation. - -The fix must be backported to 1.5. -(cherry picked from commit 9ce1311ebc834e20addc7a8392c0fc4e4ad687b7) ---- - include/types/checks.h | 3 ++- - include/types/server.h | 1 - - src/checks.c | 2 +- - src/server.c | 2 +- - src/ssl_sock.c | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/include/types/checks.h b/include/types/checks.h -index a50043b..42b7b07 100644 ---- a/include/types/checks.h -+++ b/include/types/checks.h -@@ -125,6 +125,7 @@ enum { - }; - - struct check { -+ struct xprt_ops *xprt; /* transport layer operations for health checks */ - struct connection *conn; /* connection state for health checks */ - unsigned short port; /* the port to use for the health checks */ - struct buffer *bi, *bo; /* input and output buffers to send/recv check */ -@@ -132,7 +133,7 @@ struct check { - struct timeval start; /* last health check start time */ - long duration; /* time in ms took to finish last health check */ - short status, code; /* check result, check code */ -- char desc[HCHK_DESC_LEN]; /* health check descritpion */ -+ char desc[HCHK_DESC_LEN]; /* health check description */ - int use_ssl; /* use SSL for health checks */ - int send_proxy; /* send a PROXY protocol header with checks */ - struct tcpcheck_rule *current_step; /* current step when using tcpcheck */ -diff --git a/include/types/server.h b/include/types/server.h -index 313f58d..c419b40 100644 ---- a/include/types/server.h -+++ b/include/types/server.h -@@ -194,7 +194,6 @@ struct server { - - struct { /* configuration used by health-check and agent-check */ - struct protocol *proto; /* server address protocol for health checks */ -- struct xprt_ops *xprt; /* transport layer operations for health checks */ - struct sockaddr_storage addr; /* the address to check, if different from */ - } check_common; - -diff --git a/src/checks.c b/src/checks.c -index 5318f35..84bf0e5 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1413,7 +1413,7 @@ static int connect_chk(struct task *t) - - /* prepare a new connection */ - conn_init(conn); -- conn_prepare(conn, s->check_common.proto, s->check_common.xprt); -+ conn_prepare(conn, s->check_common.proto, check->xprt); - conn_attach(conn, check, &check_conn_cb); - conn->target = &s->obj_type; - -diff --git a/src/server.c b/src/server.c -index fdb63cc..94a31b6 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr - - newsrv->addr = *sk; - newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family); -- newsrv->xprt = newsrv->check_common.xprt = &raw_sock; -+ newsrv->xprt = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock; - - if (!newsrv->proto) { - Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n", -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index f50efe5..b73d6f9 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -1812,7 +1812,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) - if (srv->use_ssl) - srv->xprt = &ssl_sock; - if (srv->check.use_ssl) -- srv->check_common.xprt = &ssl_sock; -+ srv->check.xprt = &ssl_sock; - - srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method()); - if (!srv->ssl_ctx.ctx) { --- -2.0.4 - diff --git a/net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch b/net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch deleted file mode 100644 index 1ca2efe0d7..0000000000 --- a/net/haproxy/patches/0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch +++ /dev/null @@ -1,42 +0,0 @@ -From cac307c020db7a938b73d4fef27a3b4ad2ecdf6a Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 18 Nov 2014 15:04:29 +0100 -Subject: [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance - algorithm in frontends - -Tom Limoncelli from Stack Exchange reported a minor bug : the frontend -inherits the LB parameters from the defaults sections. The impact is -that if a "balance" directive uses any L7 parameter in the defaults -sections and the frontend is in TCP mode, a warning is emitted about -their incompatibility. The warning is harmless but a valid, sane config -should never cause any warning to be reported. - -This fix should be backported into 1.5 and possibly 1.4. -(cherry picked from commit 743c128580ee29c8f073b4a29771a5ce715f3721) ---- - src/cfgparse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 392a692..40d20ab 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -2003,7 +2003,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - curproxy->no_options = defproxy.no_options; - curproxy->no_options2 = defproxy.no_options2; - curproxy->bind_proc = defproxy.bind_proc; -- curproxy->lbprm.algo = defproxy.lbprm.algo; - curproxy->except_net = defproxy.except_net; - curproxy->except_mask = defproxy.except_mask; - curproxy->except_to = defproxy.except_to; -@@ -2037,6 +2036,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - } - - if (curproxy->cap & PR_CAP_BE) { -+ curproxy->lbprm.algo = defproxy.lbprm.algo; - curproxy->fullconn = defproxy.fullconn; - curproxy->conn_retries = defproxy.conn_retries; - curproxy->max_ka_queue = defproxy.max_ka_queue; --- -2.0.4 - diff --git a/net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch b/net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch deleted file mode 100644 index 835461cdb3..0000000000 --- a/net/haproxy/patches/0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8ba50128832bb31e95f06fe4cb2bd172f2b945fe Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Tue, 18 Nov 2014 18:49:19 +0100 -Subject: [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier - -Denys Fedoryshchenko reported and diagnosed a nasty bug caused by TCP -captures, introduced in late 1.5-dev by commit 18bf01e ("MEDIUM: tcp: -add a new tcp-request capture directive"). The problem is that we're -using the array of capture pointers initially designed for HTTP usage -only, and that this array was only reset when starting to process an -HTTP request. In a tcp-only frontend, the pointers are not reset, and -if the capture pool is shared, we can very well point to whatever other -memory location, resulting in random crashes when tcp-request content -captures are processed. - -The fix simply consists in initializing these pointers when the pools -are prepared. - -A workaround for existing versions consists in either disabling TCP -captures in tcp-only frontends, or in forcing the frontends to work in -HTTP mode. - -Thanks to Denys for the amount of testing and detailed reports. - -This fix must be backported to 1.5. -(cherry picked from commit 9654e57fac86c773091b892f42015ba2ba56be5a) ---- - src/frontend.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/frontend.c b/src/frontend.c -index 3f80774..2928047 100644 ---- a/src/frontend.c -+++ b/src/frontend.c -@@ -106,11 +106,17 @@ int frontend_accept(struct session *s) - if (global.tune.client_rcvbuf) - setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf)); - -- if (unlikely(s->fe->nb_req_cap > 0 && (s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL)) -- goto out_return; /* no memory */ -+ if (unlikely(s->fe->nb_req_cap > 0)) { -+ if ((s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL) -+ goto out_return; /* no memory */ -+ memset(s->txn.req.cap, 0, s->fe->nb_req_cap * sizeof(void *)); -+ } - -- if (unlikely(s->fe->nb_rsp_cap > 0 && (s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL)) -- goto out_free_reqcap; /* no memory */ -+ if (unlikely(s->fe->nb_rsp_cap > 0)) { -+ if ((s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL) -+ goto out_free_reqcap; /* no memory */ -+ memset(s->txn.rsp.cap, 0, s->fe->nb_rsp_cap * sizeof(void *)); -+ } - - if (s->fe->http_needed) { - /* we have to allocate header indexes only if we know --- -2.0.4 -