mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: sample: conversion from str to ipv6 may read data past end

Browse Source 
Applying inet_pton() to input contents is not reliable because the
function requires a zero-terminated string. While inet_pton() will
stop when contents do not match an IPv6 address anymore, it could
theorically read past the end of a buffer if the data to be converted
was at the end of a buffer (this cannot happen right now thanks to
the reserve at the end of the buffer). At least the conversion does
not work.

Fix this by using buf2ip6() instead, which copies the string into a
padded aread.

This bug came with recent commit b805f71 (MEDIUM: sample: let the
cast functions set their output type), no backport is needed.
This commit is contained in:
Thierry FOURNIER 2013-12-11 12:38:57 +01:00 committed by Willy Tarreau
parent cd6599150f
commit fd1399091e
1 changed files with 8 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/sample.c
View File

@ -451,13 +451,11 @@ static int c_int2ip(struct sample *smp)
static int c_str2addr(struct sample *smp)
{
int ret;
if (!buf2ip(smp->data.str.str, smp->data.str.len, &smp->data.ipv4)) {
ret = inet_pton(AF_INET6, smp->data.str.str, &smp->data.ipv6);
if (ret)
if (!buf2ip6(smp->data.str.str, smp->data.str.len, &smp->data.ipv6))
return 0;
smp->type = SMP_T_IPV6;
return ret;
return 1;
}
smp->type = SMP_T_IPV4;
return 1;
@ -473,12 +471,10 @@ static int c_str2ip(struct sample *smp)
static int c_str2ipv6(struct sample *smp)
{
int ret;
ret = inet_pton(AF_INET6, smp->data.str.str, &smp->data.ipv6);
if (ret)
if (!buf2ip6(smp->data.str.str, smp->data.str.len, &smp->data.ipv6))
return 0;
smp->type = SMP_T_IPV6;
return ret;
return 1;
}
static int c_bin2str(struct sample *smp)