From 82ea800b0fb2e7dd3d498c4973aa7eef364f208c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 25 Apr 2012 19:19:43 +0200 Subject: [PATCH] CLEANUP: pattern: ensure that payload and payload_lv always stay in the buffer A test was already performed which worked by pure luck due to integer types, otherwise it would have been possible to start checking for an offset out of the buffer's bounds if the buffer size was large enough to allow an integer wrap. Let's perform explicit checks and use unsigned ints for offsets instead of risking being hit later. --- src/proto_tcp.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 69e9765f5..cc60bc37e 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1486,10 +1486,10 @@ static int smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *arg_p, struct sample *smp) { - int len_offset = arg_p[0].data.uint; - int len_size = arg_p[1].data.uint; - int buf_offset = arg_p[2].data.uint; - int buf_size = 0; + unsigned int len_offset = arg_p[0].data.uint; + unsigned int len_size = arg_p[1].data.uint; + unsigned int buf_offset; + unsigned int buf_size = 0; struct buffer *b; int i; @@ -1512,11 +1512,6 @@ smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned in buf_size = (buf_size << 8) + ((unsigned char *)b->p)[i + len_offset]; } - if (!buf_size) { - smp->flags = 0; - return 0; - } - /* buf offset may be implicit, absolute or relative */ buf_offset = len_offset + len_size; if (arg_p[2].type == ARGT_UINT) @@ -1524,6 +1519,12 @@ smp_fetch_payload_lv(struct proxy *px, struct session *l4, void *l7, unsigned in else if (arg_p[2].type == ARGT_SINT) buf_offset += arg_p[2].data.sint; + if (!buf_size || buf_size > b->size || buf_offset + buf_size > b->size) { + /* will never match */ + smp->flags = 0; + return 0; + } + if (buf_offset + buf_size > b->i) goto too_short; @@ -1542,8 +1543,8 @@ static int smp_fetch_payload(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *arg_p, struct sample *smp) { - int buf_offset = arg_p[0].data.uint; - int buf_size = arg_p[1].data.uint; + unsigned int buf_offset = arg_p[0].data.uint; + unsigned int buf_size = arg_p[1].data.uint; struct buffer *b; if (!l4) @@ -1554,6 +1555,12 @@ smp_fetch_payload(struct proxy *px, struct session *l4, void *l7, unsigned int o if (!b) return 0; + if (!buf_size || buf_size > b->size || buf_offset + buf_size > b->size) { + /* will never match */ + smp->flags = 0; + return 0; + } + if (buf_offset + buf_size > b->i) goto too_short;