diff --git a/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch b/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f56503b662a8a0b826751858355d65aa3204dcc --- /dev/null +++ b/backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch @@ -0,0 +1,47 @@ +From 56fb102c0c6094792fd38455b38b88a94454e996 Mon Sep 17 00:00:00 2001 +From: Christopher Faulet +Date: Wed, 28 Aug 2024 15:42:22 +0200 +Subject: [PATCH] BUG/MEDIUM: stream: Prevent mux upgrades if client connection + is no longer ready + +If an early error occurred on the client connection, we must prevent any +multiplexer upgrades. Indeed, it is unexpected for a mux to be initialized +with no xprt. On a normal workflow it is impossible. So it is not an +issue. But if a mux upgrade is performed at the stream level, an early error +on the connection may have already been handled by the previous mux and the +connection may be already fully closed. If the mux upgrade is still +performed, a crash can be experienced. + +It is possible to have a crash with an implicit TCP>HTTP upgrade if there is no +data in the input buffer. But it is also possible to get a crash with an +explicit "switch-mode http" rule. + +It must be backported to all stable versions. In 2.2, the patch must be +applied directly in stream_set_backend() function. + +(cherry picked from commit e4812404c541018ba521abf6573be92553ba7c53) +Signed-off-by: Willy Tarreau +(cherry picked from commit 13437097c312e524a346b9016d8ab273374d2053) +Signed-off-by: Christopher Faulet + +Conflict: NA +Reference: https://github.com/haproxy/haproxy/commit/56fb102c0c6094792fd38455b38b88a94454e996 +--- + src/stream.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stream.c b/src/stream.c +index e643a6db6a05..89b7c238fe48 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -1488,6 +1488,10 @@ int stream_set_http_mode(struct stream *s, const struct mux_proto_list *mux_prot + return 0; + + conn = sc_conn(sc); ++ ++ if (!sc_conn_ready(sc)) ++ return 0; ++ + if (conn) { + se_have_more_data(s->scf->sedesc); + /* Make sure we're unsubscribed, the the new diff --git a/haproxy.spec b/haproxy.spec index 32b5b960819e0eed0ed0e1bad28fe3203519d84b..23fbda8e44a620d0762fb7acb7e5dcda7b0afea8 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.9.5 -Release: 5 +Release: 6 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -19,6 +19,7 @@ Source4: %{name}.sysconfig Patch1: backport-BUG-MINOR-server-source-interface-ignored-from-defau.patch Patch2: Backport-CVE-2024-45506-BUG-MAJOR-mux-h2-always.patch Patch3: CVE-2024-49214.patch +Patch4: backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils @@ -123,6 +124,12 @@ exit 0 %{_mandir}/man1/* %changelog +* Thu Nov 21 2024 xinghe - 2.9.5-6 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:stream: Prevent mux upgrades if client connection is no longer ready + * Mon Oct 14 2024 yaoxin - 2.9.5-5 - Fix CVE-2024-49214