Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2016-08-03 11:43:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2016-06-14 23:07:09.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2016-08-03 11:43:12.000000000 +0200
@@ -1,0 +2,76 @@
+Tue Jul 19 01:50:28 UTC 2016 - mrueckert@suse.de
+
+- update to 1.6.7
+ - MINOR: new function my_realloc2 = realloc + free upon failure
+ - CLEANUP: fixed some usages of realloc leading to memory leak
+ - Revert "BUG/MINOR: ssl: fix potential memory leak in
+ ssl_sock_load_dh_params()"
+ - BUG/MEDIUM: dns: fix alignment issues in the DNS response
+ parser
+ - BUG/MINOR: Fix endiness issue in DNS header creation code
+- changes from 1.6.6
+ - BUG/MAJOR: fix listening IP address storage for frontends
+ - BUG/MINOR: fix listening IP address storage for frontends
+ (cont)
+ - DOC: Fix typo so fetch is properly parsed by Cyril's converter
+ - BUG/MAJOR: http: fix breakage of "reqdeny" causing random
+ crashes
+ - BUG/MEDIUM: stick-tables: fix breakage in table converters
+ - BUG/MEDIUM: dns: unbreak DNS resolver after header fix
+ - BUILD: fix build on Solaris 11
+ - CLEANUP: connection: fix double negation on memcmp()
+ - BUG/MEDIUM: stats: show servers state may show an servers from
+ another backend
+ - BUG/MEDIUM: fix risk of segfault with "show tls-keys"
+ - BUG/MEDIUM: sticktables: segfault in some configuration error
+ cases
+ - BUG/MEDIUM: lua: converters doesn't work
+ - BUG/MINOR: http: add-header: header name copied twice
+ - BUG/MEDIUM: http: add-header: buffer overwritten
+ - BUG/MINOR: ssl: fix potential memory leak in
+ ssl_sock_load_dh_params()
+ - BUG/MINOR: http: url32+src should use the big endian version of
+ url32
+ - BUG/MINOR: http: url32+src should check cli_conn before using
+ it
+ - DOC: http: add documentation for url32 and url32+src
+ - BUG/MINOR: fix http-response set-log-level parsing error
+ - MINOR: systemd: Use variable for config and pidfile paths
+ - MINOR: systemd: Perform sanity check on config before reload
+ (cherry picked from commit
+ 68535bddf305fdd22f1449a039939b57245212e7)
+ - BUG/MINOR: init: always ensure that global.rlimit_nofile
+ matches actual limits
+ - BUG/MINOR: init: ensure that FD limit is raised to the max
+ allowed
+ - BUG/MEDIUM: external-checks: close all FDs right after the
+ fork()
+ - BUG/MAJOR: external-checks: use asynchronous signal delivery
+ - BUG/MINOR: external-checks: do not unblock undesired signals
+ - BUILD/MEDIUM: rebuild everything when an include file is
+ changed
+ - BUILD/MEDIUM: force a full rebuild if some build options change
+ - BUG/MINOR: srv-state: fix incorrect output of state file
+ - BUG/MINOR: ssl: close ssl key file on error
+ - BUG/MINOR: http: fix misleading error message for response
+ captures
+ - BUG/BUILD: don't automatically run "make" on "make install"
+ - DOC: add missing doc for
+ http-request deny [deny_status <status>]
+- drop patches which were pulled from git before
+ 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
+ 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
+ 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
+ 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
+ 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
+ 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
+ 0007-BUILD-fix-build-on-Solaris-11.patch
+ 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
+ 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
+ 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
+ 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
+ 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
+ 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
+ 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
+
+-------------------------------------------------------------------
Old:
----
0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
0007-BUILD-fix-build-on-Solaris-11.patch
0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
haproxy-1.6.5.tar.gz
New:
----
haproxy-1.6.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.H2eTA4/_old 2016-08-03 11:43:13.000000000 +0200
+++ /var/tmp/diff_new_pack.H2eTA4/_new 2016-08-03 11:43:13.000000000 +0200
@@ -41,7 +41,7 @@
%bcond_without apparmor
Name: haproxy
-Version: 1.6.5
+Version: 1.6.7
Release: 0
#
#
@@ -74,20 +74,6 @@
Patch1: haproxy-1.6.0_config_haproxy_user.patch
Patch2: haproxy-1.6.0-makefile_lib.patch
Patch3: haproxy-1.6.0-sec-options.patch
-Patch11: 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch
-Patch12: 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch
-Patch13: 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch
-Patch14: 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch
-Patch15: 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch
-Patch16: 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch
-Patch17: 0007-BUILD-fix-build-on-Solaris-11.patch
-Patch18: 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch
-Patch19: 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch
-Patch20: 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch
-Patch21: 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch
-Patch22: 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch
-Patch23: 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch
-Patch24: 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch
#
Source99: haproxy-rpmlintrc
#
@@ -121,20 +107,6 @@
%patch1 -p1
%patch2
%patch3
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
%build
%{__make} \
++++++ haproxy-1.6.5.tar.gz -> haproxy-1.6.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/CHANGELOG new/haproxy-1.6.7/CHANGELOG
--- old/haproxy-1.6.5/CHANGELOG 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/CHANGELOG 2016-07-13 19:57:01.000000000 +0200
@@ -1,6 +1,48 @@
ChangeLog :
===========
+2016/07/13 : 1.6.7
+ - MINOR: new function my_realloc2 = realloc + free upon failure
+ - CLEANUP: fixed some usages of realloc leading to memory leak
+ - Revert "BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()"
+ - BUG/MEDIUM: dns: fix alignment issues in the DNS response parser
+ - BUG/MINOR: Fix endiness issue in DNS header creation code
+
+2016/06/26 : 1.6.6
+ - BUG/MAJOR: fix listening IP address storage for frontends
+ - BUG/MINOR: fix listening IP address storage for frontends (cont)
+ - DOC: Fix typo so fetch is properly parsed by Cyril's converter
+ - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
+ - BUG/MEDIUM: stick-tables: fix breakage in table converters
+ - BUG/MEDIUM: dns: unbreak DNS resolver after header fix
+ - BUILD: fix build on Solaris 11
+ - CLEANUP: connection: fix double negation on memcmp()
+ - BUG/MEDIUM: stats: show servers state may show an servers from another backend
+ - BUG/MEDIUM: fix risk of segfault with "show tls-keys"
+ - BUG/MEDIUM: sticktables: segfault in some configuration error cases
+ - BUG/MEDIUM: lua: converters doesn't work
+ - BUG/MINOR: http: add-header: header name copied twice
+ - BUG/MEDIUM: http: add-header: buffer overwritten
+ - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()
+ - BUG/MINOR: http: url32+src should use the big endian version of url32
+ - BUG/MINOR: http: url32+src should check cli_conn before using it
+ - DOC: http: add documentation for url32 and url32+src
+ - BUG/MINOR: fix http-response set-log-level parsing error
+ - MINOR: systemd: Use variable for config and pidfile paths
+ - MINOR: systemd: Perform sanity check on config before reload (cherry picked from commit 68535bddf305fdd22f1449a039939b57245212e7)
+ - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual limits
+ - BUG/MINOR: init: ensure that FD limit is raised to the max allowed
+ - BUG/MEDIUM: external-checks: close all FDs right after the fork()
+ - BUG/MAJOR: external-checks: use asynchronous signal delivery
+ - BUG/MINOR: external-checks: do not unblock undesired signals
+ - BUILD/MEDIUM: rebuild everything when an include file is changed
+ - BUILD/MEDIUM: force a full rebuild if some build options change
+ - BUG/MINOR: srv-state: fix incorrect output of state file
+ - BUG/MINOR: ssl: close ssl key file on error
+ - BUG/MINOR: http: fix misleading error message for response captures
+ - BUG/BUILD: don't automatically run "make" on "make install"
+ - DOC: add missing doc for http-request deny [deny_status <status>]
+
2016/05/10 : 1.6.5
- BUG/MINOR: log: Don't use strftime() which can clobber timezone if chrooted
- BUILD: namespaces: fix a potential build warning in namespaces.c
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/Makefile new/haproxy-1.6.7/Makefile
--- old/haproxy-1.6.5/Makefile 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/Makefile 2016-07-13 19:57:01.000000000 +0200
@@ -49,6 +49,7 @@
# ARCH may be useful to force build of 32-bit binary on 64-bit systems
# CFLAGS is automatically set for the specified CPU and may be overridden.
# LDFLAGS is automatically set to -g and may be overridden.
+# DEP may be cleared to ignore changes to include files during development
# SMALL_OPTS may be used to specify some options to shrink memory usage.
# DEBUG may be used to set some internal debugging options.
# ADDINC may be used to complete the include path in the form -Ipath.
@@ -759,6 +760,13 @@
# Not used right now
LIB_EBTREE = $(EBTREE_DIR)/libebtree.a
+# Used only for forced dependency checking. May be cleared during development.
+INCLUDES = $(wildcard include/*/*.h ebtree/*.h)
+DEP = $(INCLUDES) .build_opts
+
+# Used only to force a rebuild if some build options change
+.build_opts: $(shell rm -f .build_opts.new; echo \'$(TARGET) $(BUILD_OPTIONS) $(VERBOSE_CFLAGS)\' > .build_opts.new; if cmp -s .build_opts .build_opts.new; then rm -f .build_opts.new; else mv -f .build_opts.new .build_opts; fi)
+
haproxy: $(OBJS) $(OPTIONS_OBJS) $(EBTREE_OBJS)
$(LD) $(LDFLAGS) -o $@ $^ $(LDOPTS)
@@ -771,13 +779,13 @@
objsize: haproxy
@objdump -t $^|grep ' g '|grep -F '.text'|awk '{print $$5 FS $$6}'|sort
-%.o: %.c
+%.o: %.c $(DEP)
$(CC) $(COPTS) -c -o $@ $<
-src/trace.o: src/trace.c
+src/trace.o: src/trace.c $(DEP)
$(CC) $(TRACE_COPTS) -c -o $@ $<
-src/haproxy.o: src/haproxy.c
+src/haproxy.o: src/haproxy.c $(DEP)
$(CC) $(COPTS) \
-DBUILD_TARGET='"$(strip $(TARGET))"' \
-DBUILD_ARCH='"$(strip $(ARCH))"' \
@@ -787,12 +795,12 @@
-DBUILD_OPTIONS='"$(strip $(BUILD_OPTIONS))"' \
-c -o $@ $<
-src/haproxy-systemd-wrapper.o: src/haproxy-systemd-wrapper.c
+src/haproxy-systemd-wrapper.o: src/haproxy-systemd-wrapper.c $(DEP)
$(CC) $(COPTS) \
-DSBINDIR='"$(strip $(SBINDIR))"' \
-c -o $@ $<
-src/dlmalloc.o: $(DLMALLOC_SRC)
+src/dlmalloc.o: $(DLMALLOC_SRC) $(DEP)
$(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $<
install-man:
@@ -808,7 +816,13 @@
install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
done
-install-bin: haproxy $(EXTRA)
+install-bin:
+ @for i in haproxy $(EXTRA); do \
+ if ! [ -e "$$i" ]; then \
+ echo "Please run 'make' before 'make install'."; \
+ exit 1; \
+ fi; \
+ done
install -d "$(DESTDIR)$(SBINDIR)"
install haproxy $(EXTRA) "$(DESTDIR)$(SBINDIR)"
@@ -824,7 +838,7 @@
rm -f "$(DESTDIR)$(SBINDIR)"/haproxy-systemd-wrapper
clean:
- rm -f *.[oas] src/*.[oas] ebtree/*.[oas] haproxy test
+ rm -f *.[oas] src/*.[oas] ebtree/*.[oas] haproxy test .build_opts .build_opts.new
for dir in . src include/* doc ebtree; do rm -f $$dir/*~ $$dir/*.rej $$dir/core; done
rm -f haproxy-$(VERSION).tar.gz haproxy-$(VERSION)$(SUBVERS).tar.gz
rm -f haproxy-$(VERSION) haproxy-$(VERSION)$(SUBVERS) nohup.out gmon.out
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/README new/haproxy-1.6.7/README
--- old/haproxy-1.6.5/README 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/README 2016-07-13 19:57:01.000000000 +0200
@@ -3,7 +3,7 @@
----------------------
version 1.6
willy tarreau
- 2016/05/10
+ 2016/07/13
1) How to build it
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/VERDATE new/haproxy-1.6.7/VERDATE
--- old/haproxy-1.6.5/VERDATE 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/VERDATE 2016-07-13 19:57:01.000000000 +0200
@@ -1,2 +1,2 @@
$Format:%ci$
-2016/05/10
+2016/07/13
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/VERSION new/haproxy-1.6.7/VERSION
--- old/haproxy-1.6.5/VERSION 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/VERSION 2016-07-13 19:57:01.000000000 +0200
@@ -1 +1 @@
-1.6.5
+1.6.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/contrib/systemd/haproxy.service.in new/haproxy-1.6.7/contrib/systemd/haproxy.service.in
--- old/haproxy-1.6.5/contrib/systemd/haproxy.service.in 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/contrib/systemd/haproxy.service.in 2016-07-13 19:57:01.000000000 +0200
@@ -3,8 +3,10 @@
After=network.target
[Service]
-ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
-ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
+ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q
+ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE
+ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/doc/configuration.txt new/haproxy-1.6.7/doc/configuration.txt
--- old/haproxy-1.6.5/doc/configuration.txt 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/doc/configuration.txt 2016-07-13 19:57:01.000000000 +0200
@@ -4,7 +4,7 @@
----------------------
version 1.6
willy tarreau
- 2016/05/10
+ 2016/07/13
This document covers the configuration language as implemented in the version
@@ -3421,7 +3421,8 @@
See also : "option httpchk", "http-check disable-on-404"
-http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
+http-request { allow | tarpit | auth [realm <realm>] | redirect <rule> |
+ deny [deny_status <status>] |
add-header <name> <fmt> | set-header <name> <fmt> |
capture <sample> [ len <length> | id <id> ] |
del-header <name> | set-nice <nice> | set-log-level <level> |
@@ -3456,8 +3457,10 @@
pass the check. No further "http-request" rules are evaluated.
- "deny" : this stops the evaluation of the rules and immediately rejects
- the request and emits an HTTP 403 error. No further "http-request" rules
- are evaluated.
+ the request and emits an HTTP 403 error, or optionally the status code
+ specified as an argument to "deny_status". The list of permitted status
+ codes is limited to those that can be overridden by the "errorfile"
+ directive. No further "http-request" rules are evaluated.
- "tarpit" : this stops the evaluation of the rules and immediately blocks
the request without responding for a delay specified by "timeout tarpit"
@@ -13043,7 +13046,7 @@
that the SSL library is build with support for TLS extensions enabled (check
haproxy -vv).
-ssl_fc_is_resumed: boolean
+ssl_fc_is_resumed : boolean
Returns true if the SSL/TLS session has been resumed through the use of
SSL session cache or TLS tickets.
@@ -13854,6 +13857,18 @@
and converts it to an integer value. This can be used for session stickiness
based on a user ID for example, or with ACLs to match a page number or price.
+url32 : integer
+ This returns a 32-bit hash of the value obtained by concatenating the first
+ Host header and the whole URL including parameters (not only the path part of
+ the request, as in the "base32" fetch above). This is useful to track per-URL
+ activity. A shorter hash is stored, saving a lot of memory. The output type
+ is an unsigned integer.
+
+url32+src : binary
+ This returns the concatenation of the "url32" fetch and the "src" fetch. The
+ resulting type is of type binary, with a size of 8 or 20 bytes depending on
+ the source address family. This can be used to track per-IP, per-URL counters.
+
7.4. Pre-defined ACLs
---------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/examples/haproxy.spec new/haproxy-1.6.7/examples/haproxy.spec
--- old/haproxy-1.6.5/examples/haproxy.spec 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/examples/haproxy.spec 2016-07-13 19:57:01.000000000 +0200
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.6.5
+Version: 1.6.7
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -74,6 +74,12 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Wed Jul 13 2016 Willy Tarreau
+- updated to 1.6.7
+
+* Sun Jun 26 2016 Willy Tarreau
+- updated to 1.6.6
+
* Tue May 10 2016 Willy Tarreau
- updated to 1.6.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/common/standard.h new/haproxy-1.6.7/include/common/standard.h
--- old/haproxy-1.6.5/include/common/standard.h 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/include/common/standard.h 2016-07-13 19:57:01.000000000 +0200
@@ -813,10 +813,10 @@
}
/* Return true if IPv4 address is part of the network */
-extern int in_net_ipv4(struct in_addr *addr, struct in_addr *mask, struct in_addr *net);
+extern int in_net_ipv4(const void *addr, const struct in_addr *mask, const struct in_addr *net);
/* Return true if IPv6 address is part of the network */
-extern int in_net_ipv6(struct in6_addr *addr, struct in6_addr *mask, struct in6_addr *net);
+extern int in_net_ipv6(const void *addr, const struct in6_addr *mask, const struct in6_addr *net);
/* Map IPv4 adress on IPv6 address, as specified in RFC 3513. */
extern void v4tov6(struct in6_addr *sin6_addr, struct in_addr *sin_addr);
@@ -1009,8 +1009,7 @@
* the whole code is optimized out. In little endian, with a decent compiler,
* a few bswap and 2 shifts are left, which is the minimum acceptable.
*/
-#ifndef htonll
-static inline unsigned long long htonll(unsigned long long a)
+static inline unsigned long long my_htonll(unsigned long long a)
{
union {
struct {
@@ -1021,15 +1020,12 @@
} w = { .by64 = a };
return ((unsigned long long)htonl(w.by32.w1) << 32) | htonl(w.by32.w2);
}
-#endif
/* Turns 64-bit value <a> from network byte order to host byte order. */
-#ifndef ntohll
-static inline unsigned long long ntohll(unsigned long long a)
+static inline unsigned long long my_ntohll(unsigned long long a)
{
- return htonll(a);
+ return my_htonll(a);
}
-#endif
/* returns a 64-bit a timestamp with the finest resolution available. The
* unit is intentionally not specified. It's mostly used to compare dates.
@@ -1050,4 +1046,23 @@
}
#endif
+/* append a copy of string <str> (in a wordlist) at the end of the list <li>
+ * On failure : return 0 and <err> filled with an error message.
+ * The caller is responsible for freeing the <err> and <str> copy
+ * memory area using free()
+ */
+struct list;
+int list_append_word(struct list *li, const char *str, char **err);
+
+/* same as realloc() except that ptr is also freed upon failure */
+static inline void *my_realloc2(void *ptr, size_t size)
+{
+ void *ret;
+
+ ret = realloc(ptr, size);
+ if (!ret && size)
+ free(ptr);
+ return ret;
+}
+
#endif /* _COMMON_STANDARD_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/proto/proto_http.h new/haproxy-1.6.7/include/proto/proto_http.h
--- old/haproxy-1.6.5/include/proto/proto_http.h 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/include/proto/proto_http.h 2016-07-13 19:57:01.000000000 +0200
@@ -110,7 +110,7 @@
int http_transform_header_str(struct stream* s, struct http_msg *msg, const char* name,
unsigned int name_len, const char *str, struct my_regex *re,
int action);
-void inet_set_tos(int fd, struct sockaddr_storage from, int tos);
+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos);
void http_perform_server_redirect(struct stream *s, struct stream_interface *si);
void http_return_srv_error(struct stream *s, struct stream_interface *si);
void http_capture_bad_message(struct error_snapshot *es, struct stream *s,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/types/dns.h new/haproxy-1.6.7/include/types/dns.h
--- old/haproxy-1.6.5/include/types/dns.h 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/include/types/dns.h 2016-07-13 19:57:01.000000000 +0200
@@ -57,22 +57,13 @@
/* DNS request or response header structure */
struct dns_header {
- unsigned short id:16; /* identifier */
- unsigned char qr :1; /* query/response 0: query, 1: response */
- unsigned char opcode :4; /* operation code */
- unsigned char aa :1; /* authoritative answer 0: no, 1: yes */
- unsigned char tc :1; /* truncation 0:no, 1: yes */
- unsigned char rd :1; /* recursion desired 0: no, 1: yes */
- unsigned char ra :1; /* recursion available 0: no, 1: yes */
- unsigned char z :1; /* not used */
- unsigned char ad :1; /* authentic data */
- unsigned char cd :1; /* checking disabled */
- unsigned char rcode :4; /* response code */
- unsigned short qdcount :16; /* question count */
- unsigned short ancount :16; /* answer count */
- unsigned short nscount :16; /* authority count */
- unsigned short arcount :16; /* additional count */
-};
+ uint16_t id;
+ uint16_t flags;
+ uint16_t qdcount;
+ uint16_t ancount;
+ uint16_t nscount;
+ uint16_t arcount;
+} __attribute__ ((packed));
/* short structure to describe a DNS question */
struct dns_question {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/include/types/proto_http.h new/haproxy-1.6.7/include/types/proto_http.h
--- old/haproxy-1.6.5/include/types/proto_http.h 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/include/types/proto_http.h 2016-07-13 19:57:01.000000000 +0200
@@ -362,7 +362,6 @@
unsigned int flags; /* transaction flags */
enum http_meth_t meth; /* HTTP method */
/* 1 unused byte here */
- short rule_deny_status; /* HTTP status from rule when denying */
short status; /* HTTP status from the server, negative if from proxy */
char *uri; /* first line if log needed, NULL otherwise */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/cfgparse.c new/haproxy-1.6.7/src/cfgparse.c
--- old/haproxy-1.6.5/src/cfgparse.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/cfgparse.c 2016-07-13 19:57:01.000000000 +0200
@@ -285,7 +285,7 @@
}
/* OK the address looks correct */
- ss = *ss2;
+ memcpy(&ss, ss2, sizeof(ss));
for (; port <= end; port++) {
l = (struct listener *)calloc(1, sizeof(struct listener));
@@ -296,7 +296,7 @@
l->bind_conf = bind_conf;
l->fd = fd;
- l->addr = ss;
+ memcpy(&l->addr, &ss, sizeof(ss));
l->xprt = &raw_sock;
l->state = LI_INIT;
@@ -1580,10 +1580,10 @@
if (logsrv->maxlen > global.max_syslog_len) {
global.max_syslog_len = logsrv->maxlen;
- logheader = realloc(logheader, global.max_syslog_len + 1);
- logheader_rfc5424 = realloc(logheader_rfc5424, global.max_syslog_len + 1);
- logline = realloc(logline, global.max_syslog_len + 1);
- logline_rfc5424 = realloc(logline_rfc5424, global.max_syslog_len + 1);
+ logheader = my_realloc2(logheader, global.max_syslog_len + 1);
+ logheader_rfc5424 = my_realloc2(logheader_rfc5424, global.max_syslog_len + 1);
+ logline = my_realloc2(logline, global.max_syslog_len + 1);
+ logline_rfc5424 = my_realloc2(logline_rfc5424, global.max_syslog_len + 1);
}
/* after the length, a format may be specified */
@@ -5945,10 +5945,10 @@
if (logsrv->maxlen > global.max_syslog_len) {
global.max_syslog_len = logsrv->maxlen;
- logheader = realloc(logheader, global.max_syslog_len + 1);
- logheader_rfc5424 = realloc(logheader_rfc5424, global.max_syslog_len + 1);
- logline = realloc(logline, global.max_syslog_len + 1);
- logline_rfc5424 = realloc(logline_rfc5424, global.max_syslog_len + 1);
+ logheader = my_realloc2(logheader, global.max_syslog_len + 1);
+ logheader_rfc5424 = my_realloc2(logheader_rfc5424, global.max_syslog_len + 1);
+ logline = my_realloc2(logline, global.max_syslog_len + 1);
+ logline_rfc5424 = my_realloc2(logline_rfc5424, global.max_syslog_len + 1);
}
/* after the length, a format may be specified */
@@ -8728,6 +8728,7 @@
if(bind_conf->keys_ref) {
free(bind_conf->keys_ref->filename);
free(bind_conf->keys_ref->tlskeys);
+ LIST_DEL(&bind_conf->keys_ref->list);
free(bind_conf->keys_ref);
}
#endif /* USE_OPENSSL */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/checks.c new/haproxy-1.6.7/src/checks.c
--- old/haproxy-1.6.5/src/checks.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/checks.c 2016-07-13 19:57:01.000000000 +0200
@@ -58,6 +58,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -1521,14 +1522,15 @@
sigset_t set;
sigemptyset(&set);
sigaddset(&set, SIGCHLD);
- assert(sigprocmask(SIG_SETMASK, &set, NULL) == 0);
+ assert(sigprocmask(SIG_BLOCK, &set, NULL) == 0);
}
void unblock_sigchld(void)
{
sigset_t set;
sigemptyset(&set);
- assert(sigprocmask(SIG_SETMASK, &set, NULL) == 0);
+ sigaddset(&set, SIGCHLD);
+ assert(sigprocmask(SIG_UNBLOCK, &set, NULL) == 0);
}
/* Call with SIGCHLD blocked */
@@ -1584,25 +1586,22 @@
}
}
-static void sigchld_handler(int signal)
+static void sigchld_handler(struct sig_handler *sh)
{
pid_t pid;
int status;
+
while ((pid = waitpid(0, &status, WNOHANG)) > 0)
pid_list_expire(pid, status);
}
-static int init_pid_list(void) {
- struct sigaction action = {
- .sa_handler = sigchld_handler,
- .sa_flags = SA_NOCLDSTOP
- };
-
+static int init_pid_list(void)
+{
if (pool2_pid_list != NULL)
/* Nothing to do */
return 0;
- if (sigaction(SIGCHLD, &action, NULL)) {
+ if (!signal_register_fct(SIGCHLD, sigchld_handler, SIGCHLD)) {
Alert("Failed to set signal handler for external health checks: %s. Aborting.\n",
strerror(errno));
return 1;
@@ -1817,6 +1816,14 @@
if (pid == 0) {
/* Child */
extern char **environ;
+ int fd;
+
+ /* close all FDs. Keep stdin/stdout/stderr in verbose mode */
+ fd = (global.mode & (MODE_QUIET|MODE_VERBOSE)) == MODE_QUIET ? 0 : 3;
+
+ while (fd < global.rlimit_nofile)
+ close(fd++);
+
environ = check->envp;
extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf)));
execvp(px->check_command, check->argv);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/chunk.c new/haproxy-1.6.7/src/chunk.c
--- old/haproxy-1.6.5/src/chunk.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/chunk.c 2016-07-13 19:57:01.000000000 +0200
@@ -17,6 +17,7 @@
#include
#include
+#include
/* trash chunks used for various conversions */
static struct chunk *trash_chunk;
@@ -60,8 +61,8 @@
int alloc_trash_buffers(int bufsize)
{
trash_size = bufsize;
- trash_buf1 = (char *)realloc(trash_buf1, bufsize);
- trash_buf2 = (char *)realloc(trash_buf2, bufsize);
+ trash_buf1 = (char *)my_realloc2(trash_buf1, bufsize);
+ trash_buf2 = (char *)my_realloc2(trash_buf2, bufsize);
return trash_buf1 && trash_buf2;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/connection.c new/haproxy-1.6.7/src/connection.c
--- old/haproxy-1.6.5/src/connection.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/connection.c 2016-07-13 19:57:01.000000000 +0200
@@ -385,7 +385,7 @@
if (trash.len < 9) /* shortest possible line */
goto missing;
- if (!memcmp(line, "TCP4 ", 5) != 0) {
+ if (memcmp(line, "TCP4 ", 5) == 0) {
u32 src3, dst3, sport, dport;
line += 5;
@@ -426,7 +426,7 @@
((struct sockaddr_in *)&conn->addr.to)->sin_port = htons(dport);
conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET;
}
- else if (!memcmp(line, "TCP6 ", 5) != 0) {
+ else if (memcmp(line, "TCP6 ", 5) == 0) {
u32 sport, dport;
char *src_s;
char *dst_s, *sport_s, *dport_s;
@@ -744,7 +744,7 @@
const char pp2_signature[] = PP2_SIGNATURE;
int ret = 0;
struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf;
- struct sockaddr_storage null_addr = {0};
+ struct sockaddr_storage null_addr = { .ss_family = 0 };
struct sockaddr_storage *src = &null_addr;
struct sockaddr_storage *dst = &null_addr;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/dns.c new/haproxy-1.6.7/src/dns.c
--- old/haproxy-1.6.5/src/dns.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/dns.c 2016-07-13 19:57:01.000000000 +0200
@@ -677,8 +677,7 @@
switch (type) {
case DNS_RTYPE_A:
/* check if current reccord's IP is the same as server one's */
- if ((currentip_sin_family == AF_INET)
- && (*(uint32_t *)reader == *(uint32_t *)currentip)) {
+ if ((currentip_sin_family == AF_INET) && memcmp(reader, currentip, 4) == 0) {
currentip_found = 1;
newip4 = reader;
/* we can stop now if server's family preference is IPv4
@@ -917,14 +916,7 @@
/* set dns query headers */
dns = (struct dns_header *)ptr;
dns->id = (unsigned short) htons(query_id);
- dns->qr = 0; /* query */
- dns->opcode = 0;
- dns->aa = 0;
- dns->tc = 0;
- dns->rd = 1; /* recursion desired */
- dns->ra = 0;
- dns->z = 0;
- dns->rcode = 0;
+ dns->flags = htons(0x0100); /* qr=0, opcode=0, aa=0, tc=0, rd=1, ra=0, z=0, rcode=0 */
dns->qdcount = htons(1); /* 1 question */
dns->ancount = 0;
dns->nscount = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/dumpstats.c new/haproxy-1.6.7/src/dumpstats.c
--- old/haproxy-1.6.5/src/dumpstats.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/dumpstats.c 2016-07-13 19:57:01.000000000 +0200
@@ -2755,6 +2755,9 @@
if (appctx->ctx.server_state.px->bind_proc && !(appctx->ctx.server_state.px->bind_proc & (1UL << (relative_pid - 1))))
return 1;
+ if (!appctx->ctx.server_state.sv)
+ appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv;
+
for (; appctx->ctx.server_state.sv != NULL; appctx->ctx.server_state.sv = srv->next) {
srv = appctx->ctx.server_state.sv;
srv_addr[0] = '\0';
@@ -2846,19 +2849,24 @@
chunk_reset(&trash);
- if (!appctx->ctx.server_state.px) {
+ if (appctx->st2 == STAT_ST_INIT) {
+ if (!appctx->ctx.server_state.px)
+ appctx->ctx.server_state.px = proxy;
+ appctx->st2 = STAT_ST_HEAD;
+ }
+
+ if (appctx->st2 == STAT_ST_HEAD) {
chunk_printf(&trash, "%d\n# %s\n", SRV_STATE_FILE_VERSION, SRV_STATE_FILE_FIELD_NAMES);
if (bi_putchk(si_ic(si), &trash) == -1) {
si_applet_cant_put(si);
return 0;
}
- appctx->ctx.server_state.px = proxy;
+ appctx->st2 = STAT_ST_INFO;
}
+ /* STAT_ST_INFO */
for (; appctx->ctx.server_state.px != NULL; appctx->ctx.server_state.px = curproxy->next) {
curproxy = appctx->ctx.server_state.px;
- if (!appctx->ctx.server_state.sv)
- appctx->ctx.server_state.sv = appctx->ctx.server_state.px->srv;
/* servers are only in backends */
if (curproxy->cap & PR_CAP_BE) {
if (!dump_servers_state(si, &trash))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/haproxy.c new/haproxy-1.6.7/src/haproxy.c
--- old/haproxy-1.6.5/src/haproxy.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/haproxy.c 2016-07-13 19:57:01.000000000 +0200
@@ -1650,7 +1650,14 @@
if (global.rlimit_nofile) {
limit.rlim_cur = limit.rlim_max = global.rlimit_nofile;
if (setrlimit(RLIMIT_NOFILE, &limit) == -1) {
- Warning("[%s.main()] Cannot raise FD limit to %d.\n", argv[0], global.rlimit_nofile);
+ /* try to set it to the max possible at least */
+ getrlimit(RLIMIT_NOFILE, &limit);
+ limit.rlim_cur = limit.rlim_max;
+ if (setrlimit(RLIMIT_NOFILE, &limit) != -1)
+ getrlimit(RLIMIT_NOFILE, &limit);
+
+ Warning("[%s.main()] Cannot raise FD limit to %d, limit is %d.\n", argv[0], global.rlimit_nofile, (int)limit.rlim_cur);
+ global.rlimit_nofile = limit.rlim_cur;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/hlua.c new/haproxy-1.6.7/src/hlua.c
--- old/haproxy-1.6.5/src/hlua.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/hlua.c 2016-07-13 19:57:01.000000000 +0200
@@ -4790,7 +4790,7 @@
tos = MAY_LJMP(luaL_checkinteger(L, 2));
if ((cli_conn = objt_conn(htxn->s->sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, tos);
return 0;
}
@@ -5167,7 +5167,7 @@
return 0;
}
hlua_smp2lua(stream->hlua.T, smp);
- stream->hlua.nargs = 2;
+ stream->hlua.nargs = 1;
/* push keywords in the stack. */
if (arg_p) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/proto_http.c new/haproxy-1.6.7/src/proto_http.c
--- old/haproxy-1.6.5/src/proto_http.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/proto_http.c 2016-07-13 19:57:01.000000000 +0200
@@ -3403,15 +3403,15 @@
/* Sets the TOS header in IPv4 and the traffic class header in IPv6 packets
* (as per RFC3260 #4 and BCP37 #4.2 and #5.2).
*/
-void inet_set_tos(int fd, struct sockaddr_storage from, int tos)
+void inet_set_tos(int fd, const struct sockaddr_storage *from, int tos)
{
#ifdef IP_TOS
- if (from.ss_family == AF_INET)
+ if (from->ss_family == AF_INET)
setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
#endif
#ifdef IPV6_TCLASS
- if (from.ss_family == AF_INET6) {
- if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&from)->sin6_addr))
+ if (from->ss_family == AF_INET6) {
+ if (IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)from)->sin6_addr))
/* v4-mapped addresses need IP_TOS */
setsockopt(fd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos));
else
@@ -3490,10 +3490,12 @@
* further processing of the request (auth, deny, ...), and defaults to
* HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or
* HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT
- * on txn->flags if it encounters a tarpit rule.
+ * on txn->flags if it encounters a tarpit rule. If is not NULL
+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny
+ * status.
*/
enum rule_result
-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)
+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)
{
struct session *sess = strm_sess(s);
struct http_txn *txn = s->txn;
@@ -3502,6 +3504,7 @@
struct hdr_ctx ctx;
const char *auth_realm;
int act_flags = 0;
+ int len;
/* If "the current_rule_list" match the executed rule list, we are in
* resume condition. If a resume is needed it is always in the action
@@ -3539,12 +3542,14 @@
return HTTP_RULE_RES_STOP;
case ACT_ACTION_DENY:
- txn->rule_deny_status = rule->deny_status;
+ if (deny_status)
+ *deny_status = rule->deny_status;
return HTTP_RULE_RES_DENY;
case ACT_HTTP_REQ_TARPIT:
txn->flags |= TX_CLTARPIT;
- txn->rule_deny_status = rule->deny_status;
+ if (deny_status)
+ *deny_status = rule->deny_status;
return HTTP_RULE_RES_DENY;
case ACT_HTTP_REQ_AUTH:
@@ -3577,7 +3582,7 @@
case ACT_HTTP_SET_TOS:
if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
break;
case ACT_HTTP_SET_MARK:
@@ -3611,12 +3616,18 @@
case ACT_HTTP_SET_HDR:
case ACT_HTTP_ADD_HDR:
- chunk_printf(&trash, "%s: ", rule->arg.hdr_add.name);
+ /* The scope of the trash buffer must be limited to this function. The
+ * build_logline() function can execute a lot of other function which
+ * can use the trash buffer. So for limiting the scope of this global
+ * buffer, we build first the header value using build_logline, and
+ * after we store the header name.
+ */
+ len = rule->arg.hdr_add.name_len + 2,
+ len += build_logline(s, trash.str + len, trash.size - len, &rule->arg.hdr_add.fmt);
memcpy(trash.str, rule->arg.hdr_add.name, rule->arg.hdr_add.name_len);
- trash.len = rule->arg.hdr_add.name_len;
- trash.str[trash.len++] = ':';
- trash.str[trash.len++] = ' ';
- trash.len += build_logline(s, trash.str + trash.len, trash.size - trash.len, &rule->arg.hdr_add.fmt);
+ trash.str[rule->arg.hdr_add.name_len] = ':';
+ trash.str[rule->arg.hdr_add.name_len + 1] = ' ';
+ trash.len = len;
if (rule->action == ACT_HTTP_SET_HDR) {
/* remove all occurrences of the header */
@@ -3860,7 +3871,7 @@
case ACT_HTTP_SET_TOS:
if ((cli_conn = objt_conn(sess->origin)) && conn_ctrl_ready(cli_conn))
- inet_set_tos(cli_conn->t.sock.fd, cli_conn->addr.from, rule->arg.tos);
+ inet_set_tos(cli_conn->t.sock.fd, &cli_conn->addr.from, rule->arg.tos);
break;
case ACT_HTTP_SET_MARK:
@@ -4303,6 +4314,7 @@
struct redirect_rule *rule;
struct cond_wordlist *wl;
enum rule_result verdict;
+ int deny_status = HTTP_ERR_403;
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
/* we need more data */
@@ -4323,7 +4335,7 @@
/* evaluate http-request rules */
if (!LIST_ISEMPTY(&px->http_req_rules)) {
- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
switch (verdict) {
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
@@ -4369,7 +4381,7 @@
/* parse the whole stats request and extract the relevant information */
http_handle_stats(s, req);
- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
/* not all actions implemented: deny, allow, auth */
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
@@ -4500,9 +4512,9 @@
manage_client_side_cookies(s, req);
txn->flags |= TX_CLDENY;
- txn->status = http_err_codes[txn->rule_deny_status];
+ txn->status = http_err_codes[deny_status];
s->logs.tv_request = now;
- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));
+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));
stream_inc_http_err_ctr(s);
sess->fe->fe_counters.denied_req++;
if (sess->fe != s->be)
@@ -9641,7 +9653,7 @@
}
if (strcmp(args[cur_arg], "silent") == 0)
rule->arg.loglevel = -1;
- else if ((rule->arg.loglevel = get_log_level(args[cur_arg] + 1)) == 0)
+ else if ((rule->arg.loglevel = get_log_level(args[cur_arg]) + 1) == 0)
goto bad_log_level;
cur_arg++;
} else if (strcmp(args[0], "add-header") == 0 || strcmp(args[0], "set-header") == 0) {
@@ -11938,17 +11950,16 @@
{
struct chunk *temp;
struct connection *cli_conn = objt_conn(smp->sess->origin);
- unsigned int hash;
- if (!smp_fetch_url32(args, smp, kw, private))
+ if (!cli_conn)
return 0;
- /* The returned hash is a 32 bytes integer. */
- hash = smp->data.u.sint;
+ if (!smp_fetch_url32(args, smp, kw, private))
+ return 0;
temp = get_trash_chunk();
- memcpy(temp->str + temp->len, &hash, sizeof(hash));
- temp->len += sizeof(hash);
+ *(unsigned int *)temp->str = htonl(smp->data.u.sint);
+ temp->len += sizeof(unsigned int);
switch (cli_conn->addr.from.ss_family) {
case AF_INET:
@@ -12803,7 +12814,7 @@
break;
if (cur_arg < *orig_arg + 3) {
- memprintf(err, "expects <expression> [ 'len' <length> | id <idx> ]");
+ memprintf(err, "expects <expression> id <idx>");
return ACT_RET_PRS_ERR;
}
@@ -12821,7 +12832,7 @@
}
if (!args[cur_arg] || !*args[cur_arg]) {
- memprintf(err, "expects 'len or 'id'");
+ memprintf(err, "expects 'id'");
free(expr);
return ACT_RET_PRS_ERR;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/proto_tcp.c new/haproxy-1.6.7/src/proto_tcp.c
--- old/haproxy-1.6.5/src/proto_tcp.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/proto_tcp.c 2016-07-13 19:57:01.000000000 +0200
@@ -435,7 +435,7 @@
struct sockaddr_storage sa;
ret = 1;
- sa = src->source_addr;
+ memcpy(&sa, &src->source_addr, sizeof(sa));
do {
/* note: in case of retry, we may have to release a previously
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/sample.c new/haproxy-1.6.7/src/sample.c
--- old/haproxy-1.6.5/src/sample.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/sample.c 2016-07-13 19:57:01.000000000 +0200
@@ -765,7 +765,7 @@
{
struct chunk *chk = get_trash_chunk();
- *(unsigned long long int *)chk->str = htonll(smp->data.u.sint);
+ *(unsigned long long int *)chk->str = my_htonll(smp->data.u.sint);
chk->len = 8;
smp->data.u.str = *chk;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/server.c new/haproxy-1.6.7/src/server.c
--- old/haproxy-1.6.5/src/server.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/server.c 2016-07-13 19:57:01.000000000 +0200
@@ -2532,7 +2532,7 @@
/* save the new IP address */
switch (ip_sin_family) {
case AF_INET:
- ((struct sockaddr_in *)&s->addr)->sin_addr.s_addr = *(uint32_t *)ip;
+ memcpy(&((struct sockaddr_in *)&s->addr)->sin_addr.s_addr, ip, 4);
break;
case AF_INET6:
memcpy(((struct sockaddr_in6 *)&s->addr)->sin6_addr.s6_addr, ip, 16);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/ssl_sock.c new/haproxy-1.6.7/src/ssl_sock.c
--- old/haproxy-1.6.5/src/ssl_sock.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/ssl_sock.c 2016-07-13 19:57:01.000000000 +0200
@@ -4782,6 +4782,7 @@
if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) {
if (err)
memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
+ fclose(f);
return ERR_ALERT | ERR_FATAL;
}
i++;
@@ -4790,6 +4791,7 @@
if (i < TLS_TICKETS_NO) {
if (err)
memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
+ fclose(f);
return ERR_ALERT | ERR_FATAL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/standard.c new/haproxy-1.6.7/src/standard.c
--- old/haproxy-1.6.5/src/standard.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/standard.c 2016-07-13 19:57:01.000000000 +0200
@@ -2307,22 +2307,29 @@
}
/* Return non-zero if IPv4 address is part of the network,
- * otherwise zero.
+ * otherwise zero. Note that <addr> may not necessarily be aligned
+ * while the two other ones must.
*/
-int in_net_ipv4(struct in_addr *addr, struct in_addr *mask, struct in_addr *net)
+int in_net_ipv4(const void *addr, const struct in_addr *mask, const struct in_addr *net)
{
- return((addr->s_addr & mask->s_addr) == (net->s_addr & mask->s_addr));
+ struct in_addr addr_copy;
+
+ memcpy(&addr_copy, addr, sizeof(addr_copy));
+ return((addr_copy.s_addr & mask->s_addr) == (net->s_addr & mask->s_addr));
}
/* Return non-zero if IPv6 address is part of the network,
- * otherwise zero.
+ * otherwise zero. Note that <addr> may not necessarily be aligned
+ * while the two other ones must.
*/
-int in_net_ipv6(struct in6_addr *addr, struct in6_addr *mask, struct in6_addr *net)
+int in_net_ipv6(const void *addr, const struct in6_addr *mask, const struct in6_addr *net)
{
int i;
+ struct in6_addr addr_copy;
+ memcpy(&addr_copy, addr, sizeof(addr_copy));
for (i = 0; i < sizeof(struct in6_addr) / sizeof(int); i++)
- if (((((int *)addr)[i] & ((int *)mask)[i])) !=
+ if (((((int *)&addr_copy)[i] & ((int *)mask)[i])) !=
(((int *)net)[i] & ((int *)mask)[i]))
return 0;
return 1;
@@ -2622,7 +2629,7 @@
}
allocated = needed + 1;
- ret = realloc(ret, allocated);
+ ret = my_realloc2(ret, allocated);
} while (ret);
if (needed < 0) {
@@ -2770,7 +2777,7 @@
val_len = value ? strlen(value) : 0;
}
- out = realloc(out, out_len + (txt_end - txt_beg) + val_len + 1);
+ out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1);
if (txt_end > txt_beg) {
memcpy(out + out_len, txt_beg, txt_end - txt_beg);
out_len += txt_end - txt_beg;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/stick_table.c new/haproxy-1.6.7/src/stick_table.c
--- old/haproxy-1.6.5/src/stick_table.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/stick_table.c 2016-07-13 19:57:01.000000000 +0200
@@ -461,6 +461,8 @@
}
/* Prepares a stktable_key from a sample <smp> to search into table <t>.
+ * Note that the sample *is* modified and that the returned key may point
+ * to it, so the sample must not be modified afterwards before the lookup.
* Returns NULL if the sample could not be converted (eg: no matching type),
* otherwise a pointer to the static stktable_key filled with what is needed
* for the lookup.
@@ -700,11 +702,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -736,11 +739,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -771,11 +775,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -806,11 +811,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -842,11 +848,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -878,11 +885,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -913,11 +921,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -948,11 +957,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -984,11 +994,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1019,11 +1030,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1055,11 +1067,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1090,11 +1103,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1126,11 +1140,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1161,11 +1176,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1196,11 +1212,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1231,11 +1248,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1266,11 +1284,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (!ts) /* key not present */
return 1;
@@ -1301,11 +1320,12 @@
if (!key)
return 0;
+ ts = stktable_lookup_key(t, key);
+
smp->flags = SMP_F_VOL_TEST;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = 0;
- ts = stktable_lookup_key(t, key);
if (ts)
smp->data.u.sint = ts->ref_cnt;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/stream.c new/haproxy-1.6.7/src/stream.c
--- old/haproxy-1.6.5/src/stream.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/stream.c 2016-07-13 19:57:01.000000000 +0200
@@ -2855,7 +2855,7 @@
if (stkctr_entry(stkctr) == NULL)
stkctr = smp_create_src_stkctr(smp->sess, smp->strm, args, kw);
- if (stkctr_entry(stkctr) != NULL) {
+ if (stkctr && stkctr_entry(stkctr)) {
void *ptr1,*ptr2;
/* First, update gpc0_rate if it's tracked. Second, update its
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.6.5/src/vars.c new/haproxy-1.6.7/src/vars.c
--- old/haproxy-1.6.5/src/vars.c 2016-05-10 15:42:00.000000000 +0200
+++ new/haproxy-1.6.7/src/vars.c 2016-07-13 19:57:01.000000000 +0200
@@ -151,6 +151,7 @@
static char *register_name(const char *name, int len, enum vars_scope *scope, char **err)
{
int i;
+ char **var_names2;
const char *tmp;
/* Check length. */
@@ -191,13 +192,14 @@
if (strncmp(var_names[i], name, len) == 0)
return var_names[i];
- /* Store variable name. */
- var_names_nb++;
- var_names = realloc(var_names, var_names_nb * sizeof(*var_names));
- if (!var_names) {
+ /* Store variable name. If realloc fails, var_names remains valid */
+ var_names2 = realloc(var_names, (var_names_nb + 1) * sizeof(*var_names));
+ if (!var_names2) {
memprintf(err, "out of memory error");
return NULL;
}
+ var_names_nb++;
+ var_names = var_names2;
var_names[var_names_nb - 1] = malloc(len + 1);
if (!var_names[var_names_nb - 1]) {
memprintf(err, "out of memory error");