From dd362b7b24ea24d8f3c882dab1a69cf78af7cc90 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 21 Oct 2021 15:05:34 +0200 Subject: [PATCH] BUG/MAJOR: buf: fix varint API post- vs pre- increment A bogus test in b_get_varint(), b_put_varint(), b_peek_varint() shifts the end of the buffer by one byte. Since the bug is the same in the read and write functions, the buffer contents remain compatible, which explains why this bug was not detected earlier. But if the buffer ends on an aligned address or page, it can result in a one-byte overflow which will typically cause a crash or an inconsistent behavior. This API is only used by rings (e.g. for traces and boot messages) and by DNS responses, so the probability to hit it is extremely low, but a crash on boot was observed. This must be backported to 2.2. --- include/haproxy/buf.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/haproxy/buf.h b/include/haproxy/buf.h index 20f260d19..78409c028 100644 --- a/include/haproxy/buf.h +++ b/include/haproxy/buf.h @@ -763,7 +763,7 @@ static inline void __b_put_varint(struct buffer *b, uint64_t v) v = (v - 0xF0) >> 4; while (1) { - if (tail++ == wrap) + if (++tail == wrap) tail -= size; data++; if (v < 0x80) @@ -798,7 +798,7 @@ static inline int b_put_varint(struct buffer *b, uint64_t v) v = (v - 0xF0) >> 4; while (1) { - if (tail++ == wrap) + if (++tail == wrap) tail -= size; data++; if (data == size || v < 0x80) @@ -837,7 +837,7 @@ static inline int b_get_varint(struct buffer *b, uint64_t *vptr) v = *head; bits += 4; while (1) { - if (head++ == wrap) + if (++head == wrap) head -= size; data--; if (!data || !(*head & 0x80)) @@ -879,7 +879,7 @@ static inline int b_peek_varint(struct buffer *b, size_t ofs, uint64_t *vptr) v = *head; bits += 4; while (1) { - if (head++ == wrap) + if (++head == wrap) head -= size; data--; if (!data || !(*head & 0x80))