haproxy: information leakage

ID ASA-201507-3
Type archlinux
Reporter Arch Linux
Modified 2015-07-04T00:00:00


A vulnerability was found in the handling of HTTP pipelining. In some cases, a client might be able to cause a buffer alignment issue and retrieve uninitialized memory contents that exhibit data from a past request or session.

With the proper timing and by requesting files of specific sizes from the backend servers in HTTP pipelining mode, one can trigger a call to a buffer alignment function which was not designed to work with pending output data. The effect is that the output data pointer points to the wrong location in the buffer, causing corruption on the client. It's more visible with chunked encoding and compressed bodies because the client cannot parse the response, but with a regular content-length body, the client will simply retrieve corrupted contents. That's not the worst problem in fact since pipelining is disabled in most clients. The real problem is that it allows the client to sometimes retrieve data from a previous session that remains in the buffer at the location where the output pointer lies. Thus it's an information leak vulnerability.