mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-24 23:31:40 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()

Browse Source 
This is a complementary patch to a68affeaa ("BUG/MINOR: pattern: a sample
marked as const could be written"). Indeed the same logic from
pat_match_str() is used there, but we lack the check to ensure that the
sample is not const before writing data to it.

It could be backported to all stable versions.
This commit is contained in:
Aurelien DARRAGON 2024-09-06 16:21:02 +02:00
parent ef8d8215de
commit 3449525a02
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/pattern.c
View File

@ -651,11 +651,18 @@ struct pattern *pat_match_beg(struct sample *smp, struct pattern_expr *expr, int
if (smp->data.u.str.data < smp->data.u.str.size) { if (smp->data.u.str.data < smp->data.u.str.size) {
/* we may have to force a trailing zero on the test pattern and /* we may have to force a trailing zero on the test pattern and
* the buffer is large enough to accommodate it. * the buffer is large enough to accommodate it. If the flag
* CONST is set, duplicate the string
*/ */
prev = smp->data.u.str.area[smp->data.u.str.data]; prev = smp->data.u.str.area[smp->data.u.str.data];
if (prev) if (prev) {
smp->data.u.str.area[smp->data.u.str.data] = '\0'; if (smp->flags & SMP_F_CONST) {
if (!smp_dup(smp))
return NULL;
} else {
smp->data.u.str.area[smp->data.u.str.data] = '\0';
}
}
} }
else { else {
/* Otherwise, the sample is duplicated. A trailing zero /* Otherwise, the sample is duplicated. A trailing zero