Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remote attackers to cause a denial of service (crash) via a large stream of data, which triggers a buffer overflow and an out-of-bounds read.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6269
Reference (s):
- http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=b4d05093bc89f71377230228007e69a1434c1a0c
- MLIST:[haproxy] 20140805 segfault in http_skip_chunk_crlf after 16G of data has passed through haproxy
- URL: http://article.gmane.org/gmane.comp.web.haproxy/17726
- MLIST:[haproxy] 20140902 [ANNOUNCE] haproxy-1.5.4
- URL: http://article.gmane.org/gmane.comp.web.haproxy/18097