From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 30 Jun 2025 14:56:22 +0000 (+0200)
Subject: BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter
X-Git-Tag: v3.0.12~101
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=247bc9cb070d37f1059c01278c164c251f336f5e;p=haproxy-3.0.git

BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in jwt_verify converter

When resolving variable values the temporary trash chunks are used so
when calling the 'jwt_verify' converter with two variable parameters
like in the following line, the input would be overwritten by the value
of the second parameter :
    var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)
Copying the values into dedicated alloc'ed buffers prevents any new call
to get_trash_chunk from erasing the data we need in the converter.

This patch can be backported up to 2.8.

(cherry picked from commit 3465f88f8ab9c3f163d73938765f741c2b7e6a67)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 33eb0792afff79fa9cd596e87e4796f6d518d2c7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 47a40f66d72d3be619b2db6c2639f584a4e861b1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/sample.c b/src/sample.c
index 811d81e..f9d0ea9 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -4486,19 +4486,53 @@ static int sample_conv_jwt_verify(const struct arg *args, struct sample *smp, vo
 {
 	struct sample alg_smp, key_smp;
 	enum jwt_vrfy_status ret;
+	struct buffer *input = NULL;
+	struct buffer *alg = NULL;
+	struct buffer *key = NULL;
+	int retval = 0;
+
+	/* The two following calls to 'sample_conv_var2smp_str' will both make
+	 * use of the preallocated trash buffer (via get_trash_chunk call in
+	 * smp_dup) which would end up erasing the contents of the 'smp' input
+	 * buffer.
+	 */
+	input = alloc_trash_chunk();
+	if (!input)
+		return 0;
+	alg = alloc_trash_chunk();
+	if (!alg)
+		goto end;
+	key = alloc_trash_chunk();
+	if (!key)
+		goto end;
+
+	if (!chunk_cpy(input, &smp->data.u.str))
+		goto end;
 
 	smp_set_owner(&alg_smp, smp->px, smp->sess, smp->strm, smp->opt);
-	smp_set_owner(&key_smp, smp->px, smp->sess, smp->strm, smp->opt);
 	if (!sample_conv_var2smp_str(&args[0], &alg_smp))
-		return 0;
+		goto end;
+	if (chunk_printf(alg, "%.*s", (int)b_data(&alg_smp.data.u.str), b_orig(&alg_smp.data.u.str)) <= 0)
+		goto end;
+
+	smp_set_owner(&key_smp, smp->px, smp->sess, smp->strm, smp->opt);
 	if (!sample_conv_var2smp_str(&args[1], &key_smp))
-		return 0;
+		goto end;
+	if (chunk_printf(key, "%.*s", (int)b_data(&key_smp.data.u.str), b_orig(&key_smp.data.u.str)) <= 0)
+		goto end;
 
-	ret = jwt_verify(&smp->data.u.str,  &alg_smp.data.u.str, &key_smp.data.u.str);
+	ret = jwt_verify(input, alg, key);
 
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = ret;
-	return 1;
+
+	retval = 1;
+
+end:
+	free_trash_chunk(input);
+	free_trash_chunk(alg);
+	free_trash_chunk(key);
+	return retval;
 }