From eac6fa49cc51175bfc99cfeb0acbe1a2f2e1f5b1 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 3 Jan 2021 12:06:56 +0100
Subject: [PATCH] sed_https(): Also update csp->https_headers->first which may
 have been changed by header reordering

Prevents forwarding of invalid requests and segmentation faults when the
client-header-order directive is used while https inspection is enabled.

    Program terminated with signal SIGSEGV, Segmentation fault.
    (gdb) where
    #0  0x0000000801d1cbb0 in arena_run_heap_remove (ph=0x8027130d8, phn=0x802c01360) at jemalloc_arena.c:77
    #1  0x0000000801d17188 in arena_dissociate_bin_run (chunk=<optimized out>, run=0x802c01378, bin=0x802713098) at jemalloc_arena.c:2839
    #2  arena_dalloc_bin_locked_impl (tsdn=0x8006e3690, arena=0x802712540, chunk=<optimized out>, ptr=<optimized out>, bitselm=<optimized out>, junked=<optimized out>) at jemalloc_arena.c:2905
    #3  0x0000000801cfd1fd in __je_tcache_bin_flush_small (tsd=<optimized out>, tcache=<optimized out>, tbin=0x802a760e8, binind=<optimized out>, rem=<optimized out>) at jemalloc_tcache.c:134
    #4  0x0000000801cfe01b in tcache_destroy (tsd=0x8006e3690, tcache=0x802a76000) at jemalloc_tcache.c:368
    #5  0x0000000801cfdde7 in __je_tcache_cleanup (tsd=0x8006e3690) at jemalloc_tcache.c:407
    #6  0x0000000801cfcd53 in __je_tsd_cleanup (arg=0x8006e3690) at jemalloc_tsd.c:82
    #7  0x0000000801cfcf3b in __je_tsd_cleanup_wrapper () at /usr/src/contrib/jemalloc/include/jemalloc/internal/tsd.h:658
    #8  0x0000000801cfccca in _malloc_thread_cleanup () at jemalloc_tsd.c:52
    #9  0x0000000801a529c2 in exit_thread () at /usr/src/lib/libthr/thread/thr_exit.c:302
    #10 0x0000000801a528fe in _pthread_exit_mask (status=<optimized out>, mask=<optimized out>) at /usr/src/lib/libthr/thread/thr_exit.c:266
    #11 0x0000000801a5275b in _pthread_exit (status=0x8027130d8) at /usr/src/lib/libthr/thread/thr_exit.c:206
    #12 0x0000000801a45094 in thread_start (curthread=0x802817e00) at /usr/src/lib/libthr/thread/thr_create.c:290
    #13 0x0000000000000000 in ?? ()
    Backtrace stopped: Cannot access memory at address 0x7fffdf9fb000

Reported by: Kai Raven
---
 parsers.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/parsers.c b/parsers.c
index 69a8fb4b..8d066050 100644
--- a/parsers.c
+++ b/parsers.c
@@ -1346,9 +1346,11 @@ jb_err sed_https(struct client_state *csp)
    csp->flags |= CSP_FLAG_CLIENT_HEADER_PARSING_DONE;
 
    /*
-    * Update the last header which may have changed
-    * due to header additions,
+    * Update the https headers list which may have
+    * been modified due to header additions or header
+    * reordering.
     */
+   csp->https_headers->first = csp->headers->first;
    csp->https_headers->last = csp->headers->last;
 
    csp->headers->first = headers.first;
-- 
2.39.2