BUG/MAJOR: server: the "sni" directive could randomly cause trouble
The "sni" server directive does some bad stuff on many occasions because
it works on a sample of type string and limits len to size-1 by hand. The
problem is that size used to be zero on many occasions before the recent
changes to smp_dup() and that it effectively results in setting len to -1
and writing the zero byte *before* the string (and not terminating the
string).
This patch makes use of the recently introduced smp_make_safe() to address
this issue.
This fix must be backported to 1.6.
diff --git a/src/backend.c b/src/backend.c
index 2c94299..faf872c 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1217,12 +1217,7 @@
/* restore the pointers */
b_adv(s->req.buf, rewind);
- if (smp) {
- /* get write access to terminate with a zero */
- smp_dup(smp);
- if (smp->data.u.str.len >= smp->data.u.str.size)
- smp->data.u.str.len = smp->data.u.str.size - 1;
- smp->data.u.str.str[smp->data.u.str.len] = 0;
+ if (smp_make_safe(smp)) {
ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
srv_conn->flags |= CO_FL_PRIVATE;
}