From: Willy Tarreau Date: Thu, 19 Mar 2026 05:58:14 +0000 (+0100) Subject: BUG/MEDIUM: peers: enforce check on incoming table key type X-Git-Tag: v3.4-dev7~15 X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=1696cfaa195f291bb92439405207389135e6c085;p=haproxy.git BUG/MEDIUM: peers: enforce check on incoming table key type The key type received over the peers protocol is not checked for validity and as a result can crash the process when passed through peer_int_key_type[] in peer_treat_definemsg(). The risk remains very low since only trusted peers may exchange tables, however it represents a risk the day haproxy supports new key types, because mixing old and new versions could then cause the old ones to crash. Let's add the required check in peer_treat_definemsg(). It is also worth noting that in this function a few protocol identifiers of type int read directly from a var_int via intdecode() and that some protocol aliasing may occur (e.g. table_id, table_id_len etc). This is not supposed to be a problem but it could hide implementation bugs and cause interoperability issues once fixed, so these should be addressed in a future commit that will not be marked for backporting. Thanks to Haruto Kimura (Stella) for finding and reporting this bug. This fix needs to be backported to all stable versions. --- diff --git a/src/peers.c b/src/peers.c index 93e64aaa2..3e15710a8 100644 --- a/src/peers.c +++ b/src/peers.c @@ -2351,6 +2351,11 @@ static inline int peer_treat_definemsg(struct appctx *appctx, struct peer *p, goto malformed_exit; } + if (table_type < 0 || table_type >= PEER_KT_TYPES) { + TRACE_PROTO("ignore table definition message: unknown table type", PEERS_EV_SESS_IO|PEERS_EV_RX_MSG|PEERS_EV_PROTO_DEF, appctx, p); + goto ignore_msg; + } + table_keylen = intdecode(msg_cur, msg_end); if (!*msg_cur) { TRACE_ERROR("malformed table definition message: no key length", PEERS_EV_SESS_IO|PEERS_EV_RX_MSG|PEERS_EV_PROTO_ERR, appctx, p);