RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-05-05 17:28:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: sample: Always consider zero size string samples as unsafe

Browse Source 
smp_is_safe() function is used to be sure a sample may be safely
modified. For string samples, a test is performed to verify if there is a
null-terminated byte. If not, one is added, if possible. It means if the
sample is not const and if there is some free space in the buffer, after
data. However, we must not try to read the null-terminated byte if the
string sample is too long (data >= size) or if the size is equal to
zero. This last test was not performed. Thus it was possible to consider a
string sample as safe by testing a byte outside the buffer.

Now, a zero size string sample is always considered as unsafe and is
duplicated when smp_make_safe() is called.

This patch must be backported in all stable versions.
This commit is contained in:
Christopher Faulet 2021-02-18 10:22:48 +01:00
parent ca9f60c1ac
commit 8dd40fbde9
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/haproxy/sample.h
View File

@ -97,13 +97,13 @@ int smp_is_safe(struct sample *smp)
/* Fall through */
case SMP_T_STR:
if (smp->data.u.str.size && smp->data.u.str.data >= smp->data.u.str.size)
if (!smp->data.u.str.size || smp->data.u.str.data >= smp->data.u.str.size)
return 0;
if (smp->data.u.str.area[smp->data.u.str.data] == 0)
return 1;
if (!smp->data.u.str.size || (smp->flags & SMP_F_CONST))
if (smp->flags & SMP_F_CONST)
return 0;
smp->data.u.str.area[smp->data.u.str.data] = 0;