From 2e0565cc09517195ed50d5a121852b654c9d2b97 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 9 Aug 2016 11:55:21 +0200 Subject: [PATCH] BUG/MAJOR: server: the "sni" directive could randomly cause trouble The "sni" server directive does some bad stuff on many occasions because it works on a sample of type string and limits len to size-1 by hand. The problem is that size used to be zero on many occasions before the recent changes to smp_dup() and that it effectively results in setting len to -1 and writing the zero byte *before* the string (and not terminating the string). This patch makes use of the recently introduced smp_make_safe() to address this issue. This fix must be backported to 1.6. --- src/backend.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/backend.c b/src/backend.c index 2c9429975..faf872c0b 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1217,12 +1217,7 @@ int connect_server(struct stream *s) /* restore the pointers */ b_adv(s->req.buf, rewind); - if (smp) { - /* get write access to terminate with a zero */ - smp_dup(smp); - if (smp->data.u.str.len >= smp->data.u.str.size) - smp->data.u.str.len = smp->data.u.str.size - 1; - smp->data.u.str.str[smp->data.u.str.len] = 0; + if (smp_make_safe(smp)) { ssl_sock_set_servername(srv_conn, smp->data.u.str.str); srv_conn->flags |= CO_FL_PRIVATE; }