From 1ef74fc7cec12eba7daeef0b44f96b1ad4f5e127 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sun, 26 Apr 2026 13:51:16 +0200 Subject: [PATCH] BUG/MEDIUM: mux_h1: fix stack buffer overflow in h1_append_chunk_size() The char tmp[10] buffer can only hold 8 hex digits + CRLF suffix. If chksz exceeds 4GB (0xFFFFFFFF), the do-while loop writes more than 8 hex digits, overflowing the stack buffer by 1+ bytes. In practice the buffer is aligned from the end and leaves a 6-byte hole before it on 64-bit systems, leaving enough room to be harmless, and 4 on 32-bit platforms which save it from touching lower variables. So it is safe but just by luck. Fix by increasing tmp[] to 18 bytes, sufficient for up to 16 hex digits (2^64 - 1) plus CRLF. --- src/mux_h1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mux_h1.c b/src/mux_h1.c index 5f3bc3ec0..5d9dcbbb9 100644 --- a/src/mux_h1.c +++ b/src/mux_h1.c @@ -1852,10 +1852,10 @@ static void h1_prepend_chunk_size(struct buffer *buf, size_t chksz, size_t lengt */ static int h1_append_chunk_size(struct buffer *buf, size_t chksz) { - char tmp[10]; + char tmp[18]; char *beg, *end; - beg = end = tmp+10; + beg = end = tmp+sizeof(tmp); *--beg = '\n'; *--beg = '\r'; do {