CVE-2018-10184

Name of the Vulnerable Software and Affected Versions: HAProxy versions prior to 1.8.8

Description: A problem was discovered where the incoming H2 frame length was checked against the max frame size setting instead of the bufsize. Since max frame size only applies to outgoing traffic, a large enough frame size advertised in the SETTINGS frame can cause a wrapped frame to be defragmented into a temporary allocated buffer, potentially overflowing the heap by up to 16 kB. While it is unlikely that this can be exploited for code execution due to the short-lived nature of buffers and their unpredictable addresses in production, the possibility of an immediate crash is certain.

Recommendations: For versions prior to 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider restricting the max frame size setting to prevent large frame sizes from being advertised in the SETTINGS frame. Additionally, monitor system resources for signs of unexpected crashes and be prepared to restart services as needed.