BUG/MEDIUM: server: fix misuse of format string in load-server-state's warnings
Commit e11cfcd ("MINOR: config: new backend directives:
load-server-state-from-file and server-state-file-name") introduced a bug
which can cause haproxy to crash upon startup by sending user-controlled
data in a format string when emitting a warning. Fix the way the warning
message is built to avoid this.
No backport is needed, this was introduced in 1.6-dev6 only.
diff --git a/src/server.c b/src/server.c
index c97c5bf..8ddff00 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1897,9 +1897,8 @@
/* Update a server state using the parameters available in the params list */
static void srv_update_state(struct server *srv, int version, char **params)
{
- int msg_default_len;
char *p;
- struct chunk *msg = get_trash_chunk();
+ struct chunk *msg;
/* fields since version 1
* and common to all other upcoming versions
@@ -1916,8 +1915,7 @@
int bk_f_forced_id;
int srv_f_forced_id;
- chunk_printf(msg, "server-state application failed for server '%s/%s'", srv->proxy->id, srv->id);
- msg_default_len = msg->len;
+ msg = get_trash_chunk();
switch (version) {
case 1:
/*
@@ -2045,7 +2043,7 @@
/* don't apply anything if one error has been detected */
- if (msg->len > msg_default_len)
+ if (msg->len)
goto out;
/* recover operational state and apply it to this server
@@ -2151,11 +2149,9 @@
}
out:
- if (msg->len > msg_default_len) {
- chunk_appendf(msg, "\n");
- Warning(msg->str);
- }
-
+ if (msg->len)
+ Warning("server-state application failed for server '%s/%s'%s",
+ srv->proxy->id, srv->id, msg->str);
}
/* This function parses all the proxies and only take care of the backends (since we're looking for server)