BUG/MINOR: http-fetch: fix smp_fetch_hdr_ip()'s handling of brackets for IPv6

IPv6 addresses can be read enclosed in brackets, but the length of the
string is not checked before checking them. If by lack of luck, the
buffer is empty but already contains '[' in the first place, we'd read
the byte at position -1, possibly crashing (even though in practice it
will not since allocated blocks will be precedeed by the malloc meta-
data). At least it could make asan/valgrind unhappy.

This can be backported to all versions.

diff --git a/src/http_fetch.c b/src/http_fetch.c
index b501ab096fdb763dfc1c67172ac927126ffe8ff0..b030509d5ef054f762d6248a6b064a954d73c8f6 100644 (file)
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -1100,7 +1100,7 @@ static int smp_fetch_hdr_ip(const struct arg *args, struct sample *smp, const ch
                                /* IPv4 address suffixed with ':' followed by a valid port number */
                                smp->data.type = SMP_T_IPV4;
                                break;
-                       } else if (temp->area[0] == '[' && temp->area[smp->data.u.str.data-1] == ']') {
+                       } else if (smp->data.u.str.data >= 2 && temp->area[0] == '[' && temp->area[smp->data.u.str.data-1] == ']') {
                                /* IPv6 address enclosed in square brackets */
                                temp->area[smp->data.u.str.data-1] = '\0';
                                if (inet_pton(AF_INET6, temp->area+1, &smp->data.u.ipv6)) {