BUG/MINOR: tools: url2sa reads too far when no port nor path url2sa() still have an unfortunate case where it reads 1 byte too far, it happens when no port or path are specified in the URL, and could crash if the byte after the URL is not allocated (mostly with ASAN). This case is never triggered in old versions of haproxy because url2sa is used with buffers which are way bigger than the URL. It is only triggered with the httpclient. Should be bacported in every stable branches.

commit: 3d7a9186dd650dc4106a64bb57c49b990c3cbbeb [log] [tgz]
author: William Lallemand <wlallemand@haproxy.org> Fri Mar 25 17:37:51 2022 +0100
committer: William Lallemand <wlallemand@haproxy.org> Fri Mar 25 17:48:28 2022 +0100
tree: 31d9b63d97a7727ebadc7b041ae5fd955d1e3820
parent: d8769d1d877e22d6d50737fc0f1ffb644535a4b2 [diff] [blame]
diff --git a/src/tools.c b/src/tools.c
index 33cbfc9..34f8632 100644
--- a/src/tools.c
+++ b/src/tools.c

@@ -1679,7 +1679,7 @@
 		end++;
 
 		/* Decode port. */
-		if (*end == ':') {
+		if (end < url + ulen && *end == ':') {
 			end++;
 			default_port = read_uint(&end, url + ulen);
 		}
@@ -1712,7 +1712,7 @@
 			curr += ret;
 
 			/* Decode port. */
-			if (*curr == ':') {
+			if (curr < url + ulen && *curr == ':') {
 				curr++;
 				default_port = read_uint(&curr, url + ulen);
 			}
@@ -1746,7 +1746,7 @@
 			}
 
 			/* Decode port. */
-			if (*end == ':') {
+			if (end < url + ulen && *end == ':') {
 				end++;
 				default_port = read_uint(&end, url + ulen);
 			}
commit	3d7a9186dd650dc4106a64bb57c49b990c3cbbeb	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.org>	Fri Mar 25 17:37:51 2022 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Fri Mar 25 17:48:28 2022 +0100
tree	31d9b63d97a7727ebadc7b041ae5fd955d1e3820
parent	d8769d1d877e22d6d50737fc0f1ffb644535a4b2 [diff] [blame]