mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-08 08:07:10 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header

Browse Source 
Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory overwrite.

This fix must also be backported to 1.5.
This commit is contained in:
Dave McCowan 2014-07-17 14:34:01 -04:00 committed by Willy Tarreau
parent 09448f7d7c
commit 77d1f0143e
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/connection.c
View File

@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
char *value = NULL; char *value = NULL;
struct tlv_ssl *tlv; struct tlv_ssl *tlv;
int ssl_tlv_len = 0; int ssl_tlv_len = 0;
struct chunk *cn_trash;
#endif #endif
if (buf_len < PP2_HEADER_LEN) if (buf_len < PP2_HEADER_LEN)
@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->verify = htonl(ssl_sock_get_verify_result(remote)); tlv->verify = htonl(ssl_sock_get_verify_result(remote));
} }
if (srv->pp_opts & SRV_PP_V2_SSL_CN) { if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { cn_trash = get_trash_chunk();
tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len; ssl_tlv_len += tlv_len;
} }
} }