Bladeren bron

haproxy: bump to version 1.5.3

 - upgrade to 1.5.3
 - [PATCH 1/3] BUG/MINOR: server: move the directive #endif to the end
 - [PATCH 2/3] BUG/MINOR: Fix search for -p argument in systemd wrapper.
 - [PATCH 3/3] BUG/MAJOR: tcp: fix a possible busy spinning loop in

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Thomas Heil 10 jaren geleden
bovenliggende
commit
08e97960c7

+ 3
- 3
net/haproxy/Makefile Bestand weergeven

@@ -9,11 +9,11 @@
9 9
 include $(TOPDIR)/rules.mk
10 10
 
11 11
 PKG_NAME:=haproxy
12
-PKG_VERSION:=1.5.2
13
-PKG_RELEASE:=06
12
+PKG_VERSION:=1.5.3
13
+PKG_RELEASE:=03
14 14
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
15 15
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
16
-PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a
16
+PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1
17 17
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
18 18
 PKG_LICENSE:=GPL-2.0
19 19
 

+ 42
- 0
net/haproxy/patches/0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch Bestand weergeven

@@ -0,0 +1,42 @@
1
+From ad65af7dab9b8d8033fd09d8031cc774a6fbf768 Mon Sep 17 00:00:00 2001
2
+From: Godbach <nylzhaowei@gmail.com>
3
+Date: Mon, 28 Jul 2014 17:31:57 +0800
4
+Subject: [PATCH 1/3] BUG/MINOR: server: move the directive #endif to the end
5
+ of file
6
+
7
+If a source file includes proto/server.h twice or more, redefinition errors will
8
+be triggered for such inline functions as server_throttle_rate(),
9
+server_is_draining(), srv_adm_set_maint() and so on. Just move #endif directive
10
+to the end of file to solve this issue.
11
+
12
+Signed-off-by: Godbach <nylzhaowei@gmail.com>
13
+(cherry picked from commit e468d55998e134dac1b18d5d9d075ffd5691c827)
14
+---
15
+ include/proto/server.h | 4 ++--
16
+ 1 file changed, 2 insertions(+), 2 deletions(-)
17
+
18
+diff --git a/include/proto/server.h b/include/proto/server.h
19
+index 9893266..71c8b13 100644
20
+--- a/include/proto/server.h
21
++++ b/include/proto/server.h
22
+@@ -54,8 +54,6 @@ static void inline srv_set_sess_last(struct server *s)
23
+ 	s->counters.last_sess = now.tv_sec;
24
+ }
25
+ 
26
+-#endif /* _PROTO_SERVER_H */
27
+-
28
+ /*
29
+  * Registers the server keyword list <kwl> as a list of valid keywords for next
30
+  * parsing sessions.
31
+@@ -200,6 +198,8 @@ static inline void srv_adm_set_ready(struct server *s)
32
+ 	srv_clr_admin_flag(s, SRV_ADMF_FMAINT);
33
+ }
34
+ 
35
++#endif /* _PROTO_SERVER_H */
36
++
37
+ /*
38
+  * Local variables:
39
+  *  c-indent-level: 8
40
+-- 
41
+1.8.5.5
42
+

+ 0
- 28
net/haproxy/patches/0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch Bestand weergeven

@@ -1,29 +0,0 @@
1
-From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001
2
-From: Willy Tarreau <w@1wt.eu>
3
-Date: Sat, 12 Jul 2014 17:31:07 +0200
4
-Subject: [PATCH 1/2] DOC: mention that Squid correctly responds 400 to PPv2
5
- header
6
-
7
-Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630
8
-were confirmed to respond correctly here and that any version will do
9
-the same.
10
-(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad)
11
----
12
- doc/proxy-protocol.txt | 1 +
13
- 1 file changed, 1 insertion(+)
14
-
15
-diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
16
-index a2dbcea..a3925a4 100644
17
---- a/doc/proxy-protocol.txt
18
-+++ b/doc/proxy-protocol.txt
19
-@@ -692,6 +692,7 @@ presented, even with minimal implementations :
20
-     - thttpd 2.20c     : 400 Bad Request + abort => pass/optimal
21
-     - mini-httpd-1.19  : 400 Bad Request + abort => pass/optimal
22
-     - haproxy 1.4.21   : 400 Bad Request + abort => pass/optimal
23
-+    - Squid 3          : 400 Bad Request + abort => pass/optimal
24
-   - SSL :
25
-     - stud 0.3.47      : connection abort        => pass/optimal
26
-     - stunnel 4.45     : connection abort        => pass/optimal
27
-1.8.5.5
28
-

+ 42
- 0
net/haproxy/patches/0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch Bestand weergeven

@@ -0,0 +1,42 @@
1
+From 715e9b892f564e58489f86c125aed2a8994f16e9 Mon Sep 17 00:00:00 2001
2
+From: Conrad Hoffmann <conrad@soundcloud.com>
3
+Date: Mon, 28 Jul 2014 23:22:43 +0200
4
+Subject: [PATCH 2/3] BUG/MINOR: Fix search for -p argument in systemd wrapper.
5
+
6
+Searching for the pid file in the list of arguments did not
7
+take flags without parameters into account, like e.g. -de. Because
8
+of this, the wrapper would use a different pid file than haproxy
9
+if such an argument was specified before -p.
10
+
11
+The new version can still yield a false positive for some crazy
12
+situations, like your config file name starting with "-p", but
13
+I think this is as good as it gets without using getopt or some
14
+library.
15
+
16
+Signed-off-by: Conrad Hoffmann <conrad@soundcloud.com>
17
+(cherry picked from commit eb2cf45b72a7e14c581276247381dc1ac76be2c0)
18
+---
19
+ src/haproxy-systemd-wrapper.c | 7 ++-----
20
+ 1 file changed, 2 insertions(+), 5 deletions(-)
21
+
22
+diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
23
+index ba07ebe..529b213 100644
24
+--- a/src/haproxy-systemd-wrapper.c
25
++++ b/src/haproxy-systemd-wrapper.c
26
+@@ -130,11 +130,8 @@ static void sigint_handler(int signum __attribute__((unused)))
27
+ static void init(int argc, char **argv)
28
+ {
29
+ 	while (argc > 1) {
30
+-		if (**argv == '-') {
31
+-			char *flag = *argv + 1;
32
+-			--argc; ++argv;
33
+-			if (*flag == 'p')
34
+-				pid_file = *argv;
35
++		if ((*argv)[0] == '-' && (*argv)[1] == 'p') {
36
++			pid_file = *(argv + 1);
37
+ 		}
38
+ 		--argc; ++argv;
39
+ 	}
40
+-- 
41
+1.8.5.5
42
+

+ 0
- 28
net/haproxy/patches/0002-DOC-fix-typo-in-Unix-Socket-commands.patch Bestand weergeven

@@ -1,29 +0,0 @@
1
-From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001
2
-From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
3
-Date: Sat, 12 Jul 2014 18:22:42 +0200
4
-Subject: [PATCH 2/2] DOC: fix typo in Unix Socket commands
5
-
6
-Konstantin Romanenko reported a typo in the HTML documentation. The typo is
7
-already present in the raw text version : the "shutdown sessions" command
8
-should be "shutdown sessions server".
9
-(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e)
10
----
11
- doc/configuration.txt | 2 +-
12
- 1 file changed, 1 insertion(+), 1 deletion(-)
13
-
14
-diff --git a/doc/configuration.txt b/doc/configuration.txt
15
-index ca21f7d..2d71555 100644
16
---- a/doc/configuration.txt
17
-+++ b/doc/configuration.txt
18
-@@ -13869,7 +13869,7 @@ shutdown session <id>
19
-   endless transfer is ongoing. Such terminated sessions are reported with a 'K'
20
-   flag in the logs.
21
- 
22
--shutdown sessions <backend>/<server>
23
-+shutdown sessions server <backend>/<server>
24
-   Immediately terminate all the sessions attached to the specified server. This
25
-   can be used to terminate long-running sessions after a server is put into
26
-   maintenance mode, for instance. Such terminated sessions are reported with a
27
-1.8.5.5
28
-

+ 111
- 0
net/haproxy/patches/0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch Bestand weergeven

@@ -0,0 +1,111 @@
1
+From f94735eb76e634d7531f9c903113f64820c4cec0 Mon Sep 17 00:00:00 2001
2
+From: Willy Tarreau <w@1wt.eu>
3
+Date: Wed, 30 Jul 2014 08:56:35 +0200
4
+Subject: [PATCH 3/3] BUG/MAJOR: tcp: fix a possible busy spinning loop in
5
+ content track-sc*
6
+
7
+As a consequence of various recent changes on the sample conversion,
8
+a corner case has emerged where it is possible to wait forever for a
9
+sample in track-sc*.
10
+
11
+The issue is caused by the fact that functions relying on sample_process()
12
+don't all exactly work the same regarding the SMP_F_MAY_CHANGE flag and
13
+the output result. Here it was possible to wait forever for an output
14
+sample from stktable_fetch_key() without checking the SMP_OPT_FINAL flag.
15
+As a result, if the client connects and closes without sending the data
16
+and haproxy expects a sample which is capable of coming, it will ignore
17
+this impossible case and will continue to wait.
18
+
19
+This change adds control for SMP_OPT_FINAL before waiting for extra data.
20
+The various relevant functions have been better documented regarding their
21
+output values.
22
+
23
+This fix must be backported to 1.5 since it appeared there.
24
+(cherry picked from commit 6bcb0a84e7256f00793fa8ec8a0d6c19c3b22935)
25
+---
26
+ src/proto_tcp.c   |  4 ++--
27
+ src/sample.c      | 23 ++++++++++++++++++++++-
28
+ src/stick_table.c | 11 ++++++++++-
29
+ 3 files changed, 34 insertions(+), 4 deletions(-)
30
+
31
+diff --git a/src/proto_tcp.c b/src/proto_tcp.c
32
+index 9778856..72dc92b 100644
33
+--- a/src/proto_tcp.c
34
++++ b/src/proto_tcp.c
35
+@@ -1048,8 +1048,8 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
36
+ 				t = rule->act_prm.trk_ctr.table.t;
37
+ 				key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
38
+ 
39
+-				if (smp.flags & SMP_F_MAY_CHANGE)
40
+-					goto missing_data;
41
++				if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL))
42
++					goto missing_data; /* key might appear later */
43
+ 
44
+ 				if (key && (ts = stktable_get_entry(t, key))) {
45
+ 					session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
46
+diff --git a/src/sample.c b/src/sample.c
47
+index 3a0f3fb..8e62640 100644
48
+--- a/src/sample.c
49
++++ b/src/sample.c
50
+@@ -896,6 +896,18 @@ out_error:
51
+  * Note: the fetch functions are required to properly set the return type. The
52
+  * conversion functions must do so too. However the cast functions do not need
53
+  * to since they're made to cast mutiple types according to what is required.
54
++ *
55
++ * The caller may indicate in <opt> if it considers the result final or not.
56
++ * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify
57
++ * if the result is stable or not, according to the following table :
58
++ *
59
++ * return MAY_CHANGE FINAL   Meaning for the sample
60
++ *  NULL      0        *     Not present and will never be (eg: header)
61
++ *  NULL      1        0     Not present yet, could change (eg: POST param)
62
++ *  NULL      1        1     Not present yet, will not change anymore
63
++ *   smp      0        *     Present and will not change (eg: header)
64
++ *   smp      1        0     Present, may change (eg: request length)
65
++ *   smp      1        1     Present, last known value (eg: request length)
66
+  */
67
+ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7,
68
+                               unsigned int opt,
69
+@@ -1153,7 +1165,16 @@ int smp_resolve_args(struct proxy *p)
70
+  * and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is
71
+  * with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to
72
+  * take actions (eg: wait longer). If a sample could not be found or could not
73
+- * be converted, NULL is returned.
74
++ * be converted, NULL is returned. The caller MUST NOT use the sample if the
75
++ * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is
76
++ * still hope to get it after waiting longer, and is not converted to string.
77
++ * The possible output combinations are the following :
78
++ *
79
++ * return MAY_CHANGE FINAL   Meaning for the sample
80
++ *  NULL      *        *     Not present and will never be (eg: header)
81
++ *   smp      0        *     Final value converted (eg: header)
82
++ *   smp      1        0     Not present yet, may appear later (eg: header)
83
++ *   smp      1        1     never happens (either flag is cleared on output)
84
+  */
85
+ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7,
86
+                                    unsigned int opt, struct sample_expr *expr)
87
+diff --git a/src/stick_table.c b/src/stick_table.c
88
+index a708d3c..d39b4ff 100644
89
+--- a/src/stick_table.c
90
++++ b/src/stick_table.c
91
+@@ -603,7 +603,16 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = {
92
+  * no key could be extracted, or a pointer to the converted result stored in
93
+  * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset
94
+  * and its flags will be initialized so that the caller gets a copy of the input
95
+- * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
96
++ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present
97
++ * without SMP_OPT_FINAL). The output will be usable like this :
98
++ *
99
++ * return MAY_CHANGE FINAL   Meaning for the sample
100
++ *  NULL      0        *     Not present and will never be (eg: header)
101
++ *  NULL      1        0     Not present or unstable, could change (eg: req_len)
102
++ *  NULL      1        1     Not present, will not change anymore
103
++ *   smp      0        *     Present and will not change (eg: header)
104
++ *   smp      1        0     not possible
105
++ *   smp      1        1     Present, last known value (eg: request length)
106
+  */
107
+ struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
108
+                                         unsigned int opt, struct sample_expr *expr, struct sample *smp)
109
+-- 
110
+1.8.5.5
111
+

+ 0
- 100
net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch Bestand weergeven

@@ -1,101 +0,0 @@
1
-From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001
2
-From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
3
-Date: Tue, 15 Jul 2014 11:36:40 +0200
4
-Subject: [PATCH 3/3] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
5
-
6
-OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(),
7
-leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange.
8
-This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time.
9
-
10
-Note: this fix must be backported to 1.5.
11
-(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570)
12
----
13
- src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++-------
14
- 1 file changed, 36 insertions(+), 7 deletions(-)
15
-
16
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
17
-index 375225d..cf8adc7 100644
18
---- a/src/ssl_sock.c
19
-+++ b/src/ssl_sock.c
20
-@@ -105,6 +105,13 @@ enum {
21
- int sslconns = 0;
22
- int totalsslconns = 0;
23
- 
24
-+#ifndef OPENSSL_NO_DH
25
-+static DH *local_dh_1024 = NULL;
26
-+static DH *local_dh_2048 = NULL;
27
-+static DH *local_dh_4096 = NULL;
28
-+static DH *local_dh_8192 = NULL;
29
-+#endif /* OPENSSL_NO_DH */
30
-+
31
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
32
- struct certificate_ocsp {
33
- 	struct ebmb_node key;
34
-@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
35
- 	}
36
- 
37
- 	if (keylen >= 8192) {
38
--		dh = ssl_get_dh_8192();
39
-+		dh = local_dh_8192;
40
- 	}
41
- 	else if (keylen >= 4096) {
42
--		dh = ssl_get_dh_4096();
43
-+		dh = local_dh_4096;
44
- 	}
45
- 	else if (keylen >= 2048) {
46
--		dh = ssl_get_dh_2048();
47
-+		dh = local_dh_2048;
48
- 	}
49
- 	else {
50
--		dh = ssl_get_dh_1024();
51
-+		dh = local_dh_1024;
52
- 	}
53
- 
54
- 	return dh;
55
-@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
56
- 
57
- 		if (global.tune.ssl_default_dh_param <= 1024) {
58
- 			/* we are limited to DH parameter of 1024 bits anyway */
59
--			dh = ssl_get_dh_1024();
60
--			if (dh == NULL)
61
-+			local_dh_1024 = ssl_get_dh_1024();
62
-+			if (local_dh_1024 == NULL)
63
- 				goto end;
64
- 
65
--			SSL_CTX_set_tmp_dh(ctx, dh);
66
-+			SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
67
- 		}
68
- 		else {
69
- 			SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
70
-@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
71
- 		global.tune.ssl_default_dh_param = 1024;
72
- 	}
73
- 
74
-+#ifndef OPENSSL_NO_DH
75
-+	if (global.tune.ssl_default_dh_param >= 1024) {
76
-+		if (local_dh_1024 == NULL) {
77
-+			local_dh_1024 = ssl_get_dh_1024();
78
-+		}
79
-+		if (global.tune.ssl_default_dh_param >= 2048) {
80
-+			if (local_dh_2048 == NULL) {
81
-+				local_dh_2048 = ssl_get_dh_2048();
82
-+			}
83
-+			if (global.tune.ssl_default_dh_param >= 4096) {
84
-+				if (local_dh_4096 == NULL) {
85
-+					local_dh_4096 = ssl_get_dh_4096();
86
-+				}
87
-+				if (global.tune.ssl_default_dh_param >= 8192 &&
88
-+				    local_dh_8192 == NULL) {
89
-+					local_dh_8192 = ssl_get_dh_8192();
90
-+				}
91
-+			}
92
-+		}
93
-+	}
94
-+#endif /* OPENSSL_NO_DH */
95
-+
96
- 	SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
97
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
98
- 	SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
99
-1.8.5.5
100
-

+ 0
- 34
net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch Bestand weergeven

@@ -1,35 +0,0 @@
1
-From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
2
-From: Willy Tarreau <w@1wt.eu>
3
-Date: Tue, 15 Jul 2014 21:34:06 +0200
4
-Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
5
- version of base32
6
-
7
-We're using the internal memory representation of base32 here, which is
8
-wrong since these data might be exported to headers for logs or be used
9
-to stick to a server and replicated to other peers. Let's convert base32
10
-to big endian (network representation) when building the binary block.
11
-
12
-This mistake is also present in 1.5, it would be better to backport it.
13
-(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
14
----
15
- src/proto_http.c | 4 ++--
16
- 1 file changed, 2 insertions(+), 2 deletions(-)
17
-
18
-diff --git a/src/proto_http.c b/src/proto_http.c
19
-index 94afed7..b7ed85d 100644
20
---- a/src/proto_http.c
21
-+++ b/src/proto_http.c
22
-@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
23
- 		return 0;
24
- 
25
- 	temp = get_trash_chunk();
26
--	memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
27
--	temp->len += sizeof(smp->data.uint);
28
-+	*(unsigned int *)temp->str = htonl(smp->data.uint);
29
-+	temp->len += sizeof(unsigned int);
30
- 
31
- 	switch (cli_conn->addr.from.ss_family) {
32
- 	case AF_INET:
33
-1.8.5.5
34
-

+ 0
- 41
net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch Bestand weergeven

@@ -1,42 +0,0 @@
1
-From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
2
-From: Dave McCowan <11235david@gmail.com>
3
-Date: Thu, 17 Jul 2014 14:34:01 -0400
4
-Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
5
- building a proxy v2 header
6
-
7
-Use temporary trash chunk, instead of global trash chunk in
8
-make_proxy_line_v2() to avoid memory overwrite.
9
-
10
-This fix must also be backported to 1.5.
11
-(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
12
----
13
- src/connection.c | 6 ++++--
14
- 1 file changed, 4 insertions(+), 2 deletions(-)
15
-
16
-diff --git a/src/connection.c b/src/connection.c
17
-index 20a911b..3435b1a 100644
18
---- a/src/connection.c
19
-+++ b/src/connection.c
20
-@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
21
- 	char *value = NULL;
22
- 	struct tlv_ssl *tlv;
23
- 	int ssl_tlv_len = 0;
24
-+	struct chunk *cn_trash;
25
- #endif
26
- 
27
- 	if (buf_len < PP2_HEADER_LEN)
28
-@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
29
- 				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
30
- 			}
31
- 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
32
--				if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
33
--					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
34
-+				cn_trash = get_trash_chunk();
35
-+				if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
36
-+					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
37
- 					ssl_tlv_len += tlv_len;
38
- 				}
39
- 			}
40
-1.8.5.5
41
-

+ 0
- 33
net/haproxy/patches/0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch Bestand weergeven

@@ -1,34 +0,0 @@
1
-From 04b80cd29b23d02f373c095569e871275d128b43 Mon Sep 17 00:00:00 2001
2
-From: Willy Tarreau <w@1wt.eu>
3
-Date: Sat, 19 Jul 2014 06:37:33 +0200
4
-Subject: [PATCH 6/6] BUG/MEDIUM: connection: fix proxy v2 header again!
5
-
6
-Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption
7
-when building a proxy v2 header") was wrong, using &cn_trash instead
8
-of cn_trash resulting in a warning and the client's SSL cert CN not
9
-being stored at the proper location.
10
-
11
-Thanks to Lukas Tribus for spotting this quickly.
12
-
13
-This should be backported to 1.5 after the patch above is backported.
14
-(cherry picked from commit 3b9a0c9d4d083d749846d66f9bd4caabafe4ee78)
15
----
16
- src/connection.c | 2 +-
17
- 1 file changed, 1 insertion(+), 1 deletion(-)
18
-
19
-diff --git a/src/connection.c b/src/connection.c
20
-index 3435b1a..2dd2c02 100644
21
---- a/src/connection.c
22
-+++ b/src/connection.c
23
-@@ -684,7 +684,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
24
- 			}
25
- 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
26
- 				cn_trash = get_trash_chunk();
27
--				if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
28
-+				if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
29
- 					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
30
- 					ssl_tlv_len += tlv_len;
31
- 				}
32
-1.8.5.5
33
-