Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 464340 (CVE-2013-1912) - <net-proxy/haproxy-1.4.23: crash on TCP content inspection rules (CVE-2013-1912)
Summary: <net-proxy/haproxy-1.4.23: crash on TCP content inspection rules (CVE-2013-1912)
Alias: CVE-2013-1912
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2013-04-03 12:54 UTC by Agostino Sarubbo
Modified: 2013-07-11 23:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-03 12:54:02 UTC
From ${URL} :

Yves Lafon from the W3C reported some random crashes of haproxy with an
advanced configuration, that we finally considered was a security issue
as it could remotely be triggered.

--- summary ---

Configurations at risk are those which combine use of HTTP keywords in
TCP content inspection rules, client-side keep-alive, header rewriting
rules and which receive pipelined requests. These configurations may be
remotely crashed when run with haproxy 1.4 up to and including 1.4.22
or development versions up to and including 1.5-dev17. Versions 1.4.23
and 1.5-dev18 are safe.

--- quick workaround ---

Disable TCP content inspection, or disable HTTP keep-alive by inserting
"option forceclose" in the affected frontends.

--- details ---

During normal HTTP request processing, request buffers are realigned if
there are less than global.maxrewrite bytes available after them, in
order to leave enough room for rewriting headers after the request. This
is done in http_wait_for_request().
However, if some HTTP inspection happens during a "tcp-request content"
rule, this realignment is not performed. In theory this is not a problem
because empty buffers are always aligned and TCP inspection happens at
the beginning of a connection. But with HTTP keep-alive, it also happens
at the beginning of each subsequent request. So if a second request was
pipelined by the client before the first one had a chance to be forwarded,
the second request will not be realigned. Then, http_wait_for_request()
will not perform such a realignment either because the request was
already parsed and marked as such. The consequence of this, is that the
rewrite of a sufficient number of such pipelined, unaligned requests may
leave less room past the request been processed than the configured
reserve, which can lead to a buffer overflow if request processing appends
some data past the end of the buffer.
A number of conditions are required for the bug to be triggered :
   - HTTP keep-alive must be enabled ;
   - HTTP inspection in TCP rules must be used ;
   - some request appending rules are needed (reqadd, x-forwarded-for)
   - since empty buffers are always realigned, the client must pipeline
     enough requests so that the buffer always contains something till
     the point where there is no more room for rewriting.
While such a configuration is quite unlikely to be met (which is
confirmed by the bug's lifetime), a few people do use these features
together for very specific usages. And more importantly, writing such
a configuration and the request to attack it is trivial.
A quick workaround consists in forcing keep-alive off by adding
"option httpclose" or "option forceclose" in the frontend. Alternatively,
disabling HTTP-based TCP inspection rules enough if the application
supports it.
At first glance, this bug does not look like it could lead to remote code
execution, as the overflowing part is controlled by the configuration and
not by the user. But some deeper analysis should be performed to confirm
this. And anyway, corrupting the process' memory and crashing it is quite
Special thanks go to Yves Lafon from the W3C who reported this bug and
deployed significant efforts to collect the relevant data needed to
understand it in less than one week, and to Ryan O'Hara from Red Hat
for providing me with a CVE number.
CVE-2013-1912 was assigned to this issue.

--- links ---
1.4-stable patch for version <= 1.4.22 :;a=commitdiff;h=dc80672211
1.4.23 source code:

1.5-dev patch for versions <= 1.5-dev17 :;a=commitdiff;h=aae75e3279
1.5-dev18 source code:
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2013-04-04 19:17:26 UTC
I just added 1.4.23 so feel free to stabilze.
Comment 2 Agostino Sarubbo gentoo-dev 2013-04-05 09:18:58 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-04-05 14:19:02 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-05 14:19:25 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-05 17:10:23 UTC
ppc stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-06 20:38:21 UTC
GLSA vote: no.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:52:23 UTC
CVE-2013-1912 (
  Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17,
  when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection
  rules, and running with rewrite rules that appends to requests, allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via crafted pipelined HTTP requests that prevent request
  realignment from occurring.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-07-11 23:33:29 UTC
This issue was resolved and addressed in
 GLSA 201307-01 at
by GLSA coordinator Sean Amoss (ackle).