mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 20:46:11 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: server: the "sni" directive could randomly cause trouble

Browse Source 
The "sni" server directive does some bad stuff on many occasions because
it works on a sample of type string and limits len to size-1 by hand. The
problem is that size used to be zero on many occasions before the recent
changes to smp_dup() and that it effectively results in setting len to -1
and writing the zero byte *before* the string (and not terminating the
string).

This patch makes use of the recently introduced smp_make_safe() to address
this issue.

This fix must be backported to 1.6.
This commit is contained in:
Willy Tarreau 2016-08-09 11:55:21 +02:00
parent 77128f585c
commit 2e0565cc09
1 changed files with 1 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/backend.c
View File

@ -1217,12 +1217,7 @@ int connect_server(struct stream *s)
/* restore the pointers */
b_adv(s->req.buf, rewind);
if (smp) {
/* get write access to terminate with a zero */
smp_dup(smp);
if (smp->data.u.str.len >= smp->data.u.str.size)
smp->data.u.str.len = smp->data.u.str.size - 1;
smp->data.u.str.str[smp->data.u.str.len] = 0;
if (smp_make_safe(smp)) {
ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
srv_conn->flags |= CO_FL_PRIVATE;
}