RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLEANUP: pattern: ensure that payload and payload_lv always stay in the buffer 

A test was already performed which worked by pure luck due to integer types,
otherwise it would have been possible to start checking for an offset out of
the buffer's bounds if the buffer size was large enough to allow an integer
wrap. Let's perform explicit checks and use unsigned ints for offsets instead
of risking being hit later.
This commit is contained in:
Willy Tarreau 2012-04-25 19:19:43 +02:00
parent 0ce3aa0c66
commit 82ea800b0f
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/proto_tcp.c
View File

@ -1486,10 +1486,10 @@ static int
smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *arg_p, struct sample *smp)
{
int len_offset = arg_p[0].data.uint;
int len_size = arg_p[1].data.uint;
int buf_offset = arg_p[2].data.uint;
int buf_size = 0;
unsigned int len_offset = arg_p[0].data.uint;
unsigned int len_size = arg_p[1].data.uint;
unsigned int buf_offset;
unsigned int buf_size = 0;
struct buffer *b;
int i;
@ -1512,11 +1512,6 @@ smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned in
buf_size = (buf_size << 8) + ((unsigned char *)b->p)[i + len_offset];
}
if (!buf_size) {
smp->flags = 0;
return 0;
}
/* buf offset may be implicit, absolute or relative */
buf_offset = len_offset + len_size;
if (arg_p[2].type == ARGT_UINT)
@ -1524,6 +1519,12 @@ smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned in
else if (arg_p[2].type == ARGT_SINT)
buf_offset += arg_p[2].data.sint;
if (!buf_size || buf_size > b->size || buf_offset + buf_size > b->size) {
/* will never match */
smp->flags = 0;
return 0;
}
if (buf_offset + buf_size > b->i)
goto too_short;
@ -1542,8 +1543,8 @@ static int
smp_fetch_payload(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *arg_p, struct sample *smp)
{
int buf_offset = arg_p[0].data.uint;
int buf_size = arg_p[1].data.uint;
unsigned int buf_offset = arg_p[0].data.uint;
unsigned int buf_size = arg_p[1].data.uint;
struct buffer *b;
if (!l4)
@ -1554,6 +1555,12 @@ smp_fetch_payload(struct proxy *px, struct session *l4, void *l7, unsigned int o
if (!b)
return 0;
if (!buf_size || buf_size > b->size || buf_offset + buf_size > b->size) {
/* will never match */
smp->flags = 0;
return 0;
}
if (buf_offset + buf_size > b->i)
goto too_short;