BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation After seeing previous ALPN fix, I suspected that NPN code was wrong as well, and indeed it was since ALPN was copied from it. This fix must be backported into 1.6 and 1.5.

commit: 3724da126115d6ad0ccecbbcea05c54b4accaac4 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Fri Feb 12 17:11:12 2016 +0100
committer: Willy Tarreau <w@1wt.eu> Fri Feb 12 17:11:12 2016 +0100
tree: d695c2182ddd23acc1b7d2a5bf7753e30d70475a
parent: bef6091cff924aebb6d0006642db50b23ab2ee23 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d68151b..bdd228f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -5231,9 +5231,12 @@
 
 	free(conf->npn_str);
 
-	/* the NPN string is built as a suite of (<len> <name>)* */
+	/* the NPN string is built as a suite of (<len> <name>)*,
+	 * so we reuse each comma to store the next <len> and need
+	 * one more for the end of the string.
+	 */
 	conf->npn_len = strlen(args[cur_arg + 1]) + 1;
-	conf->npn_str = calloc(1, conf->npn_len);
+	conf->npn_str = calloc(1, conf->npn_len + 1);
 	memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len);
 
 	/* replace commas with the name length */
commit	3724da126115d6ad0ccecbbcea05c54b4accaac4	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Fri Feb 12 17:11:12 2016 +0100
committer	Willy Tarreau <w@1wt.eu>	Fri Feb 12 17:11:12 2016 +0100
tree	d695c2182ddd23acc1b7d2a5bf7753e30d70475a
parent	bef6091cff924aebb6d0006642db50b23ab2ee23 [diff]