42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8 Mon Sep 17 00:00:00 2001
|
|
From: Youfu Zhang <zhangyoufu@gmail.com>
|
|
Date: Fri, 9 Dec 2022 19:15:48 +0800
|
|
Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
|
|
|
|
The output buffer is not zero-initialized. If we don't clear reserved
|
|
bytes, fcgi requests sent to backend will leak sensitive data.
|
|
|
|
This patch must be backported as far as 2.2.
|
|
---
|
|
src/fcgi.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/fcgi.c b/src/fcgi.c
|
|
index dcf2db2..1d1a82b 100644
|
|
--- a/src/fcgi.c
|
|
+++ b/src/fcgi.c
|
|
@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
|
|
out->area[len++] = ((h->len >> 8) & 0xff);
|
|
out->area[len++] = (h->len & 0xff);
|
|
out->area[len++] = h->padding;
|
|
- len++; /* rsv */
|
|
+ out->area[len++] = 0; /* rsv */
|
|
|
|
out->data = len;
|
|
return 1;
|
|
@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
|
|
out->area[len++] = ((r->role >> 8) & 0xff);
|
|
out->area[len++] = (r->role & 0xff);
|
|
out->area[len++] = r->flags;
|
|
- len += 5; /* rsv */
|
|
+ out->area[len++] = 0; /* rsv */
|
|
+ out->area[len++] = 0;
|
|
+ out->area[len++] = 0;
|
|
+ out->area[len++] = 0;
|
|
+ out->area[len++] = 0;
|
|
|
|
out->data = len;
|
|
return 1;
|
|
--
|
|
1.7.10.4
|