kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MAJOR: dns: fix the length of the string to be copied

Browse Source 
Jan A. Bruder reported that some very specific hostnames on server
lines were causing haproxy to crash on startup. Given that hist
backtrace showed some heap corruption, it was obvious there was an
overflow somewhere. The bug in fact is a typo in dns_str_to_dn_label()
which mistakenly copies one extra byte from the host name into the
output value, thus effectively corrupting the structure.

The bug triggers while parsing the next server of similar length
after the corruption, which generally triggers at config time but
could theorically crash at any moment during runtime depending on
what malloc sizes are needed next. This is why it's tagged major.

No backport is needed, this bug was introduced in 1.6-dev2.
This commit is contained in:
Willy Tarreau 2015-07-22 16:45:36 +02:00
parent 2100b49122
commit d69d6f3678
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/dns.c
View File

@ -947,7 +947,7 @@ char *dns_str_to_dn_label(const char *string, char *dn, int dn_len)
if (dn_len < i + offset)
return NULL;
i = strlen(string) + offset;
i = strlen(string);
memcpy(dn + offset, string, i);
dn[i + offset] = '\0';
/* avoid a '\0' at the beginning of dn string which may prevent the for loop