Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6443bcc2e1f2e1e11af76ef460d8241f06223de8^! / .
commit6443bcc2e1f2e1e11af76ef460d8241f06223de8[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Mon May 17 10:35:08 2021 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Mon May 31 10:51:04 2021 +0200
treed6f2a46ec991f0779e3536b179b62fef6e86e5d1
parent8cb033643ff3235ac0d3887167ce06fefeaf850b [diff]
BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo

A memory allocation failure happening in comp_append_type or
comp_append_algo called while parsing compression options would have
resulted in a crash. These functions are only called during
configuration parsing.

It was raised in GitHub issue #1233.
It could be backported to all stable branches.

diff --git a/src/compression.c b/src/compression.c
index c9c0a30..7a7d900 100644
--- a/src/compression.c
+++ b/src/compression.c

@@ -108,12 +108,15 @@
 
 /*
  * Add a content-type in the configuration
+ * Returns 0 in case of success, 1 in case of allocation failure.
  */
 int comp_append_type(struct comp *comp, const char *type)
 {
 	struct comp_type *comp_type;
 
 	comp_type = calloc(1, sizeof(*comp_type));
+	if (!comp_type)
+		return 1;
 	comp_type->name_len = strlen(type);
 	comp_type->name = strdup(type);
 	comp_type->next = comp->types;
@@ -123,6 +126,8 @@
 
 /*
  * Add an algorithm in the configuration
+ * Returns 0 in case of success, -1 if the <algo> is unmanaged, 1 in case of
+ * allocation failure.
  */
 int comp_append_algo(struct comp *comp, const char *algo)
 {
@@ -132,6 +137,8 @@
 	for (i = 0; comp_algos[i].cfg_name; i++) {
 		if (strcmp(algo, comp_algos[i].cfg_name) == 0) {
 			comp_algo = calloc(1, sizeof(*comp_algo));
+			if (!comp_algo)
+				return 1;
 			memmove(comp_algo, &comp_algos[i], sizeof(struct comp_algo));
 			comp_algo->next = comp->algos;
 			comp->algos = comp_algo;

diff --git a/src/flt_http_comp.c b/src/flt_http_comp.c
index 22af46b..2ef8342 100644
--- a/src/flt_http_comp.c
+++ b/src/flt_http_comp.c

@@ -635,11 +635,17 @@
 			return -1;
 		}
 		while (*(args[cur_arg])) {
-			if (comp_append_algo(comp, args[cur_arg]) < 0) {
-				memprintf(err, "'%s' : '%s' is not a supported algorithm.\n",
-					  args[0], args[cur_arg]);
+			int retval = comp_append_algo(comp, args[cur_arg]);
+			if (retval) {
+				if (retval < 0)
+					memprintf(err, "'%s' : '%s' is not a supported algorithm.\n",
+						  args[0], args[cur_arg]);
+				else
+					memprintf(err, "'%s' : out of memory while parsing algo '%s'.\n",
+						  args[0], args[cur_arg]);
 				return -1;
 			}
+
 			if (proxy->comp->algos->init(&ctx, 9) == 0)
 				proxy->comp->algos->end(&ctx);
 			else {
@@ -661,7 +667,10 @@
 			return -1;
 		}
 		while (*(args[cur_arg])) {
-			comp_append_type(comp, args[cur_arg]);
+			if (comp_append_type(comp, args[cur_arg])) {
+				memprintf(err, "'%s': out of memory.", args[0]);
+				return -1;
+			}
 			cur_arg++;
 			continue;
 		}