Skip to content

Commit

Permalink
BUG/MINOR: WURFL: fix send_log() function arguments
Browse files Browse the repository at this point in the history 
If the user agent data contains text that has special characters that
are used to format the output from the vfprintf() function, haproxy
crashes.  String "%s %s %s" may be used as an example.

% curl -A "%s %s %s" localhost:10080/index.html
curl: (52) Empty reply from server

haproxy log:
00000000:WURFL-test.clireq[00c7:ffffffff]: GET /index.html HTTP/1.1
00000000:WURFL-test.clihdr[00c7:ffffffff]: host: localhost:10080
00000000:WURFL-test.clihdr[00c7:ffffffff]: user-agent: %s %s %s
00000000:WURFL-test.clihdr[00c7:ffffffff]: accept: */*
segmentation fault (core dumped)

gdb 'where' output:
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007f7c014a8da8 in _IO_vfprintf_internal (s=s@entry=0x7ffc808fe750, format=<optimized out>,
    format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
    ap=ap@entry=0x7ffc808fe8b8) at vfprintf.c:1637
#2  0x00007f7c014cfe89 in _IO_vsnprintf (
    string=0x55cb772c34e0 "WURFL: retrieve header request returns [(null) %s %s %s  B,w\313U",
    maxlen=<optimized out>,
    format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
    args=args@entry=0x7ffc808fe8b8) at vsnprintf.c:114
#3  0x000055cb758f898f in send_log (p=p@entry=0x0, level=level@entry=5,
    format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n")
    at src/log.c:1477
#4  0x000055cb75845e0b in ha_wurfl_log (
    message=message@entry=0x55cb75989460 "WURFL: retrieve header request returns [%s]\n") at src/wurfl.c:47
#5  0x000055cb7584614a in ha_wurfl_retrieve_header (header_name=<optimized out>, wh=0x7ffc808fec70)
    at src/wurfl.c:763

In case WURFL (actually HAProxy) is not compiled with debug option
enabled (-DWURFL_DEBUG), this bug does not come to light.

This patch could be backported in every version supporting
the ScientiaMobile's WURFL. (as far as 1.7)

(cherry picked from commit f0eb3739ac5460016455cd606d856e7bd2b142fb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
  • Loading branch information
@zaga00 @capflam
zaga00 authored and capflam committed Oct 16, 2019
1 parent b4bad50 commit 5e1c146
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/wurfl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ inline static void ha_wurfl_log(char * message, ...)
va_start(argp, message);
vsnprintf(logbuf, sizeof(logbuf), message, argp);
va_end(argp);
send_log(NULL, LOG_NOTICE, logbuf, NULL);
send_log(NULL, LOG_NOTICE, "%s", logbuf);
}
#else
inline static void ha_wurfl_log(char * message, ...)
Expand Down

0 comments on commit 5e1c146

Please sign in to comment.