RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-31 07:37:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation

Browse Source 
The first time I tried it (1.6.3) I got a segmentation fault :(

After some investigation with gdb and valgrind I found the
problem. memcpy() copies past an allocated buffer in
"bind_parse_alpn". This patch fixes it.

[wt: this fix must be backported into 1.6 and 1.5]
This commit is contained in:
Marcoen Hirschberg 2016-02-12 17:05:24 +01:00 committed by Willy Tarreau
parent 7282d8eb8b
commit bef6091cff
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_sock.c
View File

@ -5279,9 +5279,12 @@ static int bind_parse_alpn(char **args, int cur_arg, struct proxy *px, struct bi
free(conf->alpn_str);
/* the ALPN string is built as a suite of (<len> <name>)* */
/* the ALPN string is built as a suite of (<len> <name>)*,
* so we reuse each comma to store the next <len> and need
* one more for the end of the string.
*/
conf->alpn_len = strlen(args[cur_arg + 1]) + 1;
conf->alpn_str = calloc(1, conf->alpn_len);
conf->alpn_str = calloc(1, conf->alpn_len + 1);
memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len);
/* replace commas with the name length */