From 6785138bcaecab45d74a17be8c7716141ff54557 Mon Sep 17 00:00:00 2001
From: Thomas Heil <heil@terminal-consulting.de>
Date: Fri, 18 Jul 2014 14:58:29 +0200
Subject: [PATCH] haproxy: fixes from upstream

[PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
[PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
---
 net/haproxy/Makefile                          |  2 +-
 ...ase32-src-should-use-the-big-endian-.patch | 35 ++++++++++++++++
 ...ction-fix-memory-corruption-when-bui.patch | 42 +++++++++++++++++++
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
 create mode 100644 net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 6908210788..04d640c15d 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
 PKG_VERSION:=1.5.2
-PKG_RELEASE:=03
+PKG_RELEASE:=05
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
 PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a
diff --git a/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch b/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
new file mode 100644
index 0000000000..80c5ec52da
--- /dev/null
+++ b/net/haproxy/patches/0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
@@ -0,0 +1,35 @@
+From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 15 Jul 2014 21:34:06 +0200
+Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
+ version of base32
+
+We're using the internal memory representation of base32 here, which is
+wrong since these data might be exported to headers for logs or be used
+to stick to a server and replicated to other peers. Let's convert base32
+to big endian (network representation) when building the binary block.
+
+This mistake is also present in 1.5, it would be better to backport it.
+(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
+---
+ src/proto_http.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 94afed7..b7ed85d 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
+ 		return 0;
+ 
+ 	temp = get_trash_chunk();
+-	memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
+-	temp->len += sizeof(smp->data.uint);
++	*(unsigned int *)temp->str = htonl(smp->data.uint);
++	temp->len += sizeof(unsigned int);
+ 
+ 	switch (cli_conn->addr.from.ss_family) {
+ 	case AF_INET:
+-- 
+1.8.5.5
+
diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch b/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
new file mode 100644
index 0000000000..20321fa76a
--- /dev/null
+++ b/net/haproxy/patches/0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
@@ -0,0 +1,42 @@
+From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
+From: Dave McCowan <11235david@gmail.com>
+Date: Thu, 17 Jul 2014 14:34:01 -0400
+Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
+ building a proxy v2 header
+
+Use temporary trash chunk, instead of global trash chunk in
+make_proxy_line_v2() to avoid memory overwrite.
+
+This fix must also be backported to 1.5.
+(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
+---
+ src/connection.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/connection.c b/src/connection.c
+index 20a911b..3435b1a 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
+ 	char *value = NULL;
+ 	struct tlv_ssl *tlv;
+ 	int ssl_tlv_len = 0;
++	struct chunk *cn_trash;
+ #endif
+ 
+ 	if (buf_len < PP2_HEADER_LEN)
+@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
+ 				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
+ 			}
+ 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
+-				if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
+-					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
++				cn_trash = get_trash_chunk();
++				if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
++					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
+ 					ssl_tlv_len += tlv_len;
+ 				}
+ 			}
+-- 
+1.8.5.5
+
-- 
2.30.2