BUG/MINOR: spoe: add missing key length check before checking key names

The spoe parser fails to check that the decoded key length is large enough to match a given key but it uses the returned length in memcmp(). So returning "ver" could match "version" for example. In addition this makes clang 10's ASAN complain because the second argument to memcmp() is the static key which is shorter than the decoded buffer size, which in practice has no impact. I'm still not 100% sure the parser is entirely correct because even with this fix it cannot parse a key whose name matches the beginning of another one, but in practice this does not happen. Ideally a preliminary length check before the comparison would be safer. This needs to be backported as far as 1.7.
2025-03-06 11:28:00 +00:00 · 2020-06-16 17:58:14 +02:00 · 2020-06-16 17:58:14 +02:00 · da21ed1662
commit da21ed1662
parent 9f658a554f
1 changed files with 5 additions and 5 deletions
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@ -682,7 +682,7 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size)
 		}

 		/* Check "version" K/V item */
-		if (!memcmp(str, VERSION_KEY, sz)) {
+		if (sz >= strlen(VERSION_KEY) && !memcmp(str, VERSION_KEY, strlen(VERSION_KEY))) {
 			int i, type = *p++;

 			/* The value must be a string */
@ -711,7 +711,7 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size)
 			}
 		}
 		/* Check "max-frame-size" K/V item */
-		else if (!memcmp(str, MAX_FRAME_SIZE_KEY, sz)) {
+		else if (sz >= strlen(MAX_FRAME_SIZE_KEY) && !memcmp(str, MAX_FRAME_SIZE_KEY, strlen(MAX_FRAME_SIZE_KEY))) {
 			int type = *p++;

 			/* The value must be integer */
@ -734,7 +734,7 @@ spoe_handle_agenthello_frame(struct appctx *appctx, char *frame, size_t size)
 			max_frame_size = sz;
 		}
 		/* Check "capabilities" K/V item */
-		else if (!memcmp(str, CAPABILITIES_KEY, sz)) {
+		else if (sz >= strlen(CAPABILITIES_KEY) && !memcmp(str, CAPABILITIES_KEY, strlen(CAPABILITIES_KEY))) {
 			int type = *p++;

 			/* The value must be a string */
@ -868,7 +868,7 @@ spoe_handle_agentdiscon_frame(struct appctx *appctx, char *frame, size_t size)
 		}

 		/* Check "status-code" K/V item */
-		if (!memcmp(str, STATUS_CODE_KEY, sz)) {
+		if (sz >= strlen(STATUS_CODE_KEY) && !memcmp(str, STATUS_CODE_KEY, strlen(STATUS_CODE_KEY))) {
 			int type = *p++;

 			/* The value must be an integer */
@ -887,7 +887,7 @@ spoe_handle_agentdiscon_frame(struct appctx *appctx, char *frame, size_t size)
 		}

 		/* Check "message" K/V item */
-		else if (!memcmp(str, MSG_KEY, sz)) {
+		else if (sz >= strlen(MSG_KEY) && !memcmp(str, MSG_KEY, strlen(MSG_KEY))) {
 			int type = *p++;

 			/* The value must be a string */