From eb89e4f3e0595abdd38694b01209d6a69787f8cf Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 18 Mar 2024 08:02:32 +0100 Subject: [PATCH] BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small Frames with a too small size must be detected on receive and an error must be triggered. It is especially important for frames of size 0. Otherwise, because the frame length is used as return value, the frame is ignored (0 is the return value to state the frame must be ignored). It is an issue because in this case, outgoing data, the 4 bytes representing the frame size, are never consumed. If the agent also closes the connection, this leads to a wakeup loop because outgoing data are stuck and a shutdown is pending. In addition, all pending outgoing data are systematcially skipped when the applet is in SPOE_APPCTX_ST_END state. The patch should fix the issue #2490. It must be backported to all stable versions. --- src/flt_spoe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 0c06bed77..f646581ef 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -1165,6 +1165,10 @@ spoe_recv_frame(struct appctx *appctx, char *buf, size_t framesz) ret = co_getblk(sc_oc(sc), (char *)&netint, 4, 0); if (ret > 0) { framesz = ntohl(netint); + if (framesz < 7) { + SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_INVALID; + return -1; + } if (framesz > SPOE_APPCTX(appctx)->max_frame_size) { SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_TOO_BIG; return -1; @@ -1998,6 +2002,7 @@ spoe_handle_appctx(struct appctx *appctx) __fallthrough; case SPOE_APPCTX_ST_END: + co_skip(sc_oc(sc), co_data(sc_oc(sc))); return; } out: -- 2.47.3