mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2026-04-12 22:41:02 +02:00
bd03f05007
decode_varint() has no iteration cap and accepts varints decoding to any uint64_t value. When sz is large enough that p + sz wraps modulo 2^64, the check "p + sz > end" passes, *buf is set to the wrapped pointer, and the caller's parsing loop continues from an arbitrary relative offset before the demux buffer. A malicious SPOE agent sending an AGENT_HELLO frame with a key-name length varint of 0xfffffffffffff000 causes spop_conn_handle_hello() to dereference memory ~64KB before the dbuf allocation, resulting in SIGSEGV (DoS) or, if the read lands on live heap data, parser confusion. The relative offset is fully attacker-controlled and ASLR-independent. Compare against the remaining length instead of computing p + sz. Since p <= end is guaranteed after a successful decode_varint(), end - p is non-negative. This patch must be backport to all stable versions.