From 3724da126115d6ad0ccecbbcea05c54b4accaac4 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 12 Feb 2016 17:11:12 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation After seeing previous ALPN fix, I suspected that NPN code was wrong as well, and indeed it was since ALPN was copied from it. This fix must be backported into 1.6 and 1.5. --- src/ssl_sock.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d68151be3..bdd228fd9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5231,9 +5231,12 @@ static int bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct bin free(conf->npn_str); - /* the NPN string is built as a suite of ( )* */ + /* the NPN string is built as a suite of ( )*, + * so we reuse each comma to store the next and need + * one more for the end of the string. + */ conf->npn_len = strlen(args[cur_arg + 1]) + 1; - conf->npn_str = calloc(1, conf->npn_len); + conf->npn_str = calloc(1, conf->npn_len + 1); memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len); /* replace commas with the name length */