BUG/MEDIUM: peers: enforce check on incoming table key type

The key type received over the peers protocol is not checked for
validity and as a result can crash the process when passed through
peer_int_key_type[] in peer_treat_definemsg(). The risk remains
very low since only trusted peers may exchange tables, however it
represents a risk the day haproxy supports new key types, because
mixing old and new versions could then cause the old ones to crash.
Let's add the required check in peer_treat_definemsg().

It is also worth noting that in this function a few protocol identifiers
of type int read directly from a var_int via intdecode() and that some
protocol aliasing may occur (e.g. table_id, table_id_len etc). This is
not supposed to be a problem but it could hide implementation bugs and
cause interoperability issues once fixed, so these should be addressed
in a future commit that will not be marked for backporting.

Thanks to Haruto Kimura (Stella) for finding and reporting this bug.

This fix needs to be backported to all stable versions.

diff --git a/src/peers.c b/src/peers.c
index 93e64aaa226935f8cb552f760300b3e3e670be6a..3e15710a888404b8745e75bae172832ae7ffb3fc 100644 (file)
--- a/src/peers.c
+++ b/src/peers.c
@@ -2351,6 +2351,11 @@ static inline int peer_treat_definemsg(struct appctx *appctx, struct peer *p,
                goto malformed_exit;
        }
 
+       if (table_type < 0 || table_type >= PEER_KT_TYPES) {
+               TRACE_PROTO("ignore table definition message: unknown table type", PEERS_EV_SESS_IO|PEERS_EV_RX_MSG|PEERS_EV_PROTO_DEF, appctx, p);
+               goto ignore_msg;
+       }
+
        table_keylen = intdecode(msg_cur, msg_end);
        if (!*msg_cur) {
                TRACE_ERROR("malformed table definition message: no key length", PEERS_EV_SESS_IO|PEERS_EV_RX_MSG|PEERS_EV_PROTO_ERR, appctx, p);