BUG/MAJOR: server: the "sni" directive could randomly cause trouble The "sni" server directive does some bad stuff on many occasions because it works on a sample of type string and limits len to size-1 by hand. The problem is that size used to be zero on many occasions before the recent changes to smp_dup() and that it effectively results in setting len to -1 and writing the zero byte *before* the string (and not terminating the string). This patch makes use of the recently introduced smp_make_safe() to address this issue. This fix must be backported to 1.6.

commit: 2e0565cc09517195ed50d5a121852b654c9d2b97 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Tue Aug 09 11:55:21 2016 +0200
committer: Willy Tarreau <w@1wt.eu> Tue Aug 09 14:30:57 2016 +0200
tree: 8e4d58d7df87f61b5bd76d15e065c9c565c8d42f
parent: 77128f585ce682ebc14f063f4b91c8cdecf4e4b8 [diff] [blame]
diff --git a/src/backend.c b/src/backend.c
index 2c94299..faf872c 100644
--- a/src/backend.c
+++ b/src/backend.c

@@ -1217,12 +1217,7 @@
 			/* restore the pointers */
 			b_adv(s->req.buf, rewind);
 
-			if (smp) {
-				/* get write access to terminate with a zero */
-				smp_dup(smp);
-				if (smp->data.u.str.len >= smp->data.u.str.size)
-					smp->data.u.str.len = smp->data.u.str.size - 1;
-				smp->data.u.str.str[smp->data.u.str.len] = 0;
+			if (smp_make_safe(smp)) {
 				ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
 				srv_conn->flags |= CO_FL_PRIVATE;
 			}
commit	2e0565cc09517195ed50d5a121852b654c9d2b97	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Tue Aug 09 11:55:21 2016 +0200
committer	Willy Tarreau <w@1wt.eu>	Tue Aug 09 14:30:57 2016 +0200
tree	8e4d58d7df87f61b5bd76d15e065c9c565c8d42f
parent	77128f585ce682ebc14f063f4b91c8cdecf4e4b8 [diff] [blame]