RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-03 02:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ist: allocate nul byte on istdup

Browse Source 
istdup() is documented as having the same behavior as strdup(). However,
it may cause confusion as it allocates a block of input length, without
an extra byte for \0 delimiter. This behavior is incoherent as in case
of an empty string however a single \0 is allocated.

This API inconsistency could cause a bug anywhere an IST is used as a
C-string after istdup() invocation. Currently, the only found issue is
with 'wait' CLI command using 'srv-unused'. This causes a buffer
overflow due to ist0() invocation after istdup() for be_name and
sv_name.

Backport should be done to all stable releases. Even if no bug has been
found outside of wait CLI implementation, it ensures the code is more
consistent on every releases.
This commit is contained in:
Amaury Denoyelle 2024-02-21 16:10:43 +01:00
parent 2462e5bcca
commit de02167584
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/import/ist.h
View File

@ -939,16 +939,13 @@ static inline void istfree(struct ist *ist)
*/
static inline struct ist istdup(const struct ist src)
{
const size_t src_size = src.len;
/* Allocate at least 1 byte to allow duplicating an empty string with
* malloc implementations that return NULL for a 0-size allocation.
*/
struct ist dst = istalloc(src_size ? src_size : 1);
/* Allocate 1 extra byte to add an extra \0 delimiter. */
struct ist dst = istalloc(src.len + 1);
if (isttest(dst)) {
istcpy(&dst, src, src_size);
istcpy(&dst, src, src.len);
}
dst.ptr[dst.len] = '\0';
return dst;
}