From 3d7a9186dd650dc4106a64bb57c49b990c3cbbeb Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 25 Mar 2022 17:37:51 +0100 Subject: [PATCH] BUG/MINOR: tools: url2sa reads too far when no port nor path url2sa() still have an unfortunate case where it reads 1 byte too far, it happens when no port or path are specified in the URL, and could crash if the byte after the URL is not allocated (mostly with ASAN). This case is never triggered in old versions of haproxy because url2sa is used with buffers which are way bigger than the URL. It is only triggered with the httpclient. Should be bacported in every stable branches. --- src/tools.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/tools.c b/src/tools.c index 33cbfc9f6..34f86321c 100644 --- a/src/tools.c +++ b/src/tools.c @@ -1679,7 +1679,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli end++; /* Decode port. */ - if (*end == ':') { + if (end < url + ulen && *end == ':') { end++; default_port = read_uint(&end, url + ulen); } @@ -1712,7 +1712,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli curr += ret; /* Decode port. */ - if (*curr == ':') { + if (curr < url + ulen && *curr == ':') { curr++; default_port = read_uint(&curr, url + ulen); } @@ -1746,7 +1746,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli } /* Decode port. */ - if (*end == ':') { + if (end < url + ulen && *end == ':') { end++; default_port = read_uint(&end, url + ulen); } -- 2.47.3