From aaa58862900243db9931fb5c141826592776f422 Mon Sep 17 00:00:00 2001 From: xh Date: Thu, 21 Nov 2024 03:22:24 +0000 Subject: [PATCH] backport upstream patches --- ...m-Prevent-mux-upgrades-if-client-con.patch | 51 +++++++++++++++++++ haproxy.spec | 9 +++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch diff --git a/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch b/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch new file mode 100644 index 0000000..6decd27 --- /dev/null +++ b/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch @@ -0,0 +1,51 @@ +From d36049a61ec1b5c081259018e50cb69d1452d99a Mon Sep 17 00:00:00 2001 +From: Christopher Faulet +Date: Wed, 28 Aug 2024 15:42:22 +0200 +Subject: [PATCH] BUG/MEDIUM: stream: Prevent mux upgrades if client connection + is no longer ready + +If an early error occurred on the client connection, we must prevent any +multiplexer upgrades. Indeed, it is unexpected for a mux to be initialized +with no xprt. On a normal workflow it is impossible. So it is not an +issue. But if a mux upgrade is performed at the stream level, an early error +on the connection may have already been handled by the previous mux and the +connection may be already fully closed. If the mux upgrade is still +performed, a crash can be experienced. + +It is possible to have a crash with an implicit TCP>HTTP upgrade if there is no +data in the input buffer. But it is also possible to get a crash with an +explicit "switch-mode http" rule. + +It must be backported to all stable versions. In 2.2, the patch must be +applied directly in stream_set_backend() function. + +(cherry picked from commit e4812404c541018ba521abf6573be92553ba7c53) +Signed-off-by: Willy Tarreau +(cherry picked from commit 13437097c312e524a346b9016d8ab273374d2053) +Signed-off-by: Christopher Faulet +(cherry picked from commit 56fb102c0c6094792fd38455b38b88a94454e996) +Signed-off-by: Willy Tarreau +(cherry picked from commit 2b48b04ab00148bc5ddfc66ba12214bdedf7c2ae) +Signed-off-by: Christopher Faulet + +Conflict: NA +Reference: https://github.com/haproxy/haproxy/commit/d36049a61ec1b5c081259018e50cb69d1452d99a +--- + src/stream.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stream.c b/src/stream.c +index 9fa55aad8844..b0ede3e25844 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -1486,6 +1486,10 @@ int stream_set_http_mode(struct stream *s, const struct mux_proto_list *mux_prot + return 0; + + conn = sc_conn(sc); ++ ++ if (!sc_conn_ready(sc)) ++ return 0; ++ + if (conn) { + se_have_more_data(s->scf->sedesc); + /* Make sure we're unsubscribed, the the new diff --git a/haproxy.spec b/haproxy.spec index e70449d..2a2872a 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.6.6 -Release: 12 +Release: 13 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -39,6 +39,7 @@ Patch18: backport-BUG-MINOR-server-do-not-leak-default-server-in-defau. Patch19: backport-BUG-MINOR-server-source-interface-ignored-from-defau.patch Patch20: backport-BUG-MINOR-haproxy-only-tid-0-must-not-sleep-if-got-s.patch Patch21: fix-timehopping-in-freq_ctr_total.patch +Patch22: backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic %ifarch sw_64 @@ -143,6 +144,12 @@ exit 0 %{_mandir}/man1/* %changelog +* Thu Nov 21 2024 xinghe - 2.6.6-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:stream: Prevent mux upgrades if client connection is no longer ready + * Mon Sep 23 2024 xinghe - 2.6.6-12 - Type:bugfix - CVE:NA -- Gitee