From: Willy Tarreau <w@1wt.eu>
Date: Fri, 3 Apr 2026 07:17:35 +0000 (+0200)
Subject: BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"
X-Git-Tag: v3.4-dev8~9
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=efb1ab57bea888491c31b0c534a0e1d96823c5da;p=haproxy.git

BUG/MINOR: cfgcond: fail cleanly on missing argument for "feature"

The "feature" predicate takes an argument name. Not passing one will
cause strstr() to always find something, including at the end of the
string, and to read past end that ASAN detects. We need to check that
we didn't reach end before proceeding.

This bug was reported by OSS Fuzz here:
   https://issues.oss-fuzz.com/issues/499133314

The issue is present since 2.4 with commit 58ca706e16 ("MINOR: config:
add predicate "feature" to detect certain built-in features") so this
fix must be backported to all stable versions.
---

diff --git a/src/cfgcond.c b/src/cfgcond.c
index 345eafe71..491c1c877 100644
--- a/src/cfgcond.c
+++ b/src/cfgcond.c
@@ -232,7 +232,7 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err)
 			const char *p;
 
 			ret = 0; // assume feature not found
-			for (p = build_features; (p = strstr(p, term->args[0].data.str.area)); p++) {
+			for (p = build_features; *p && (p = strstr(p, term->args[0].data.str.area)); p++) {
 				if (p > build_features &&
 				    (p[term->args[0].data.str.data] == ' ' ||
 				     p[term->args[0].data.str.data] == 0)) {