BUG/MINOR: spoe: add missing key length check before checking key names
The spoe parser fails to check that the decoded key length is large
enough to match a given key but it uses the returned length in memcmp().
So returning "ver" could match "version" for example. In addition this
makes clang 10's ASAN complain because the second argument to memcmp()
is the static key which is shorter than the decoded buffer size, which
in practice has no impact.
I'm still not 100% sure the parser is entirely correct because even
with this fix it cannot parse a key whose name matches the beginning
of another one, but in practice this does not happen. Ideally a
preliminary length check before the comparison would be safer.
This needs to be backported as far as 1.7.
(cherry picked from commit da21ed1662ff7f1610db14b3ce48f19ec37a695b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 52d4af0accaa9440c0434387ec29beac1816fdd0)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index fbd834b..10f6299 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -715,7 +715,7 @@
}
/* Check "version" K/V item */
- if (!memcmp(str, VERSION_KEY, sz)) {
+ if (sz >= strlen(VERSION_KEY) && !memcmp(str, VERSION_KEY, strlen(VERSION_KEY))) {
int i, type = *p++;
/* The value must be a string */
@@ -744,7 +744,7 @@
}
}
/* Check "max-frame-size" K/V item */
- else if (!memcmp(str, MAX_FRAME_SIZE_KEY, sz)) {
+ else if (sz >= strlen(MAX_FRAME_SIZE_KEY) && !memcmp(str, MAX_FRAME_SIZE_KEY, strlen(MAX_FRAME_SIZE_KEY))) {
int type = *p++;
/* The value must be integer */
@@ -767,7 +767,7 @@
max_frame_size = sz;
}
/* Check "capabilities" K/V item */
- else if (!memcmp(str, CAPABILITIES_KEY, sz)) {
+ else if (sz >= strlen(CAPABILITIES_KEY) && !memcmp(str, CAPABILITIES_KEY, strlen(CAPABILITIES_KEY))) {
int type = *p++;
/* The value must be a string */
@@ -901,7 +901,7 @@
}
/* Check "status-code" K/V item */
- if (!memcmp(str, STATUS_CODE_KEY, sz)) {
+ if (sz >= strlen(STATUS_CODE_KEY) && !memcmp(str, STATUS_CODE_KEY, strlen(STATUS_CODE_KEY))) {
int type = *p++;
/* The value must be an integer */
@@ -920,7 +920,7 @@
}
/* Check "message" K/V item */
- else if (!memcmp(str, MSG_KEY, sz)) {
+ else if (sz >= strlen(MSG_KEY) && !memcmp(str, MSG_KEY, strlen(MSG_KEY))) {
int type = *p++;
/* The value must be a string */