From 5e1c1468789d80213325054b6fc1dbd1c70d7776 Mon Sep 17 00:00:00 2001
From: Miroslav Zagorac <mzagorac@haproxy.com>
Date: Mon, 14 Oct 2019 17:15:56 +0200
Subject: [PATCH] BUG/MINOR: WURFL: fix send_log() function arguments

If the user agent data contains text that has special characters that
are used to format the output from the vfprintf() function, haproxy
crashes.  String "%s %s %s" may be used as an example.

% curl -A "%s %s %s" localhost:10080/index.html
curl: (52) Empty reply from server

haproxy log:
00000000:WURFL-test.clireq[00c7:ffffffff]: GET /index.html HTTP/1.1
00000000:WURFL-test.clihdr[00c7:ffffffff]: host: localhost:10080
00000000:WURFL-test.clihdr[00c7:ffffffff]: user-agent: %s %s %s
00000000:WURFL-test.clihdr[00c7:ffffffff]: accept: */*
segmentation fault (core dumped)

gdb 'where' output:
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007f7c014a8da8 in _IO_vfprintf_internal (s=s@entry=0x7ffc808fe750, format=<optimized out>,
    format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
    ap=ap@entry=0x7ffc808fe8b8) at vfprintf.c:1637
#2  0x00007f7c014cfe89 in _IO_vsnprintf (
    string=0x55cb772c34e0 "WURFL: retrieve header request returns [(null) %s %s %s  B,w\313U",
    maxlen=<optimized out>,
    format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n",
    args=args@entry=0x7ffc808fe8b8) at vsnprintf.c:114
#3  0x000055cb758f898f in send_log (p=p@entry=0x0, level=level@entry=5,
    format=format@entry=0x7ffc808fe9c0 "WURFL: retrieve header request returns [%s %s %s]\n")
    at src/log.c:1477
#4  0x000055cb75845e0b in ha_wurfl_log (
    message=message@entry=0x55cb75989460 "WURFL: retrieve header request returns [%s]\n") at src/wurfl.c:47
#5  0x000055cb7584614a in ha_wurfl_retrieve_header (header_name=<optimized out>, wh=0x7ffc808fec70)
    at src/wurfl.c:763

In case WURFL (actually HAProxy) is not compiled with debug option
enabled (-DWURFL_DEBUG), this bug does not come to light.

This patch could be backported in every version supporting
the ScientiaMobile's WURFL. (as far as 1.7)

(cherry picked from commit f0eb3739ac5460016455cd606d856e7bd2b142fb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/wurfl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wurfl.c b/src/wurfl.c
index 27e673d02..41de1d9c3 100644
--- a/src/wurfl.c
+++ b/src/wurfl.c
@@ -44,7 +44,7 @@ inline static void ha_wurfl_log(char * message, ...)
 	va_start(argp, message);
 	vsnprintf(logbuf, sizeof(logbuf), message, argp);
 	va_end(argp);
-	send_log(NULL, LOG_NOTICE, logbuf, NULL);
+	send_log(NULL, LOG_NOTICE, "%s", logbuf);
 }
 #else
 inline static void ha_wurfl_log(char * message, ...)