From 15c5226bd39d71eca73643e493c0505adf9e2253 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 11 May 2026 14:56:22 +0200 Subject: [PATCH] BUG/MINOR: http-fetch: fix smp_fetch_hdr_ip()'s handling of brackets for IPv6 IPv6 addresses can be read enclosed in brackets, but the length of the string is not checked before checking them. If by lack of luck, the buffer is empty but already contains '[' in the first place, we'd read the byte at position -1, possibly crashing (even though in practice it will not since allocated blocks will be precedeed by the malloc meta- data). At least it could make asan/valgrind unhappy. This can be backported to all versions. --- src/http_fetch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http_fetch.c b/src/http_fetch.c index b501ab096..b030509d5 100644 --- a/src/http_fetch.c +++ b/src/http_fetch.c @@ -1100,7 +1100,7 @@ static int smp_fetch_hdr_ip(const struct arg *args, struct sample *smp, const ch /* IPv4 address suffixed with ':' followed by a valid port number */ smp->data.type = SMP_T_IPV4; break; - } else if (temp->area[0] == '[' && temp->area[smp->data.u.str.data-1] == ']') { + } else if (smp->data.u.str.data >= 2 && temp->area[0] == '[' && temp->area[smp->data.u.str.data-1] == ']') { /* IPv6 address enclosed in square brackets */ temp->area[smp->data.u.str.data-1] = '\0'; if (inet_pton(AF_INET6, temp->area+1, &smp->data.u.ipv6)) { -- 2.47.3