From: Willy Tarreau Date: Wed, 29 Apr 2026 06:55:23 +0000 (+0200) Subject: BUG/MINOR: http_fetch: Check return values of unchecked buffer operations X-Git-Tag: v3.4-dev11~45 X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=9abfbbf0bafaf757488495025df0c5b9e965cae8;p=haproxy.git BUG/MINOR: http_fetch: Check return values of unchecked buffer operations Several return value for chunk_istcat() or chunk_memcat() calls were not tested. Now, 0 is returned on failure. Concretly, for now, it is unexpected to trigger error because the result cannot exceed the buffer size. Data are extracted from an HTX message. At first glance, no reason to backport it. --- diff --git a/src/http_fetch.c b/src/http_fetch.c index 0011e8a7a..384453418 100644 --- a/src/http_fetch.c +++ b/src/http_fetch.c @@ -680,9 +680,11 @@ static int smp_fetch_body(const struct arg *args, struct sample *smp, const char if (!chk) { smp->flags &= ~SMP_F_CONST; chk = get_trash_chunk_sz(htx->data); - chunk_istcat(chk, body); + if (!chunk_istcat(chk, body)) + return 0; } - chunk_istcat(chk, htx_get_blk_value(htx, blk)); + if (!chunk_istcat(chk, htx_get_blk_value(htx, blk))) + return 0; body = ist2(b_orig(chk), b_data(chk)); } else { @@ -941,9 +943,12 @@ static int smp_fetch_hdr_names(const struct arg *args, struct sample *smp, const continue; n = htx_get_blk_name(htx, blk); - if (temp->data) - temp->area[temp->data++] = del; - chunk_istcat(temp, n); + if (temp->data) { + if (!chunk_memcat(temp, &del, 1)) + return 0; + } + if (!chunk_istcat(temp, n)) + return 0; } smp->data.type = SMP_T_STR; @@ -1176,7 +1181,8 @@ static int smp_fetch_base(const struct arg *args, struct sample *smp, const char /* OK we have the header value in ctx.value */ temp = get_trash_chunk(); - chunk_istcat(temp, ctx.value); + if (!chunk_istcat(temp, ctx.value)) + return 0; /* now retrieve the path */ sl = http_get_stline(htx); @@ -1192,8 +1198,10 @@ static int smp_fetch_base(const struct arg *args, struct sample *smp, const char ; } - if (len && *(path.ptr) == '/') - chunk_memcat(temp, path.ptr, len); + if (len && *(path.ptr) == '/') { + if (!chunk_memcat(temp, path.ptr, len)) + return 0; + } } smp->data.type = SMP_T_STR; @@ -2113,9 +2121,11 @@ static int smp_fetch_body_param(const struct arg *args, struct sample *smp, cons /* More than one DATA block we must use a trash */ if (!chk) { chk = get_trash_chunk_sz(htx->data); - chunk_istcat(chk, body); + if (!chunk_istcat(chk, body)) + break; } - chunk_istcat(chk, htx_get_blk_value(htx, blk)); + if (!chunk_istcat(chk, htx_get_blk_value(htx, blk))) + break; body = ist2(b_orig(chk), b_data(chk)); } else