From 8ec9c81ac4fc70c32c6183b59d7bab9cbf1f5c5b Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 20 May 2022 09:13:38 +0200 Subject: [PATCH] BUG/MINOR: cfgparse: abort earlier in case of allocation error In issue #1563, Coverity reported a very interesting issue about a possible UAF in the config parser if the config file ends in with a very large line followed by an empty one and the large one causes an allocation failure. The issue essentially is that we try to go on with the next line in case of allocation error, while there's no point doing so. If we failed to allocate memory to read one config line, the same may happen on the next one, and blatantly dropping it while trying to parse what follows it. In the best case, subsequent errors will be incorrect due to this prior error (e.g. a large ACL definition with many patterns, followed by a reference of this ACL). Let's just immediately abort in such a condition where there's no recovery possible. This may be backported to all versions once the issue is confirmed to be addressed. Thanks to Ilya for the report. --- src/cfgparse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cfgparse.c b/src/cfgparse.c index 2f886d92e..976cd59ae 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1860,10 +1860,10 @@ next_line: if (outline == NULL) { ha_alert("parsing [%s:%d]: line too long, cannot allocate memory.\n", file, linenum); - err_code |= ERR_ALERT | ERR_FATAL; + err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT; fatal++; outlinesize = 0; - goto next_line; + goto err; } /* try again */ continue;