commit b4cf7ab9bc413bbb956e225f903959bff17e4049
author Christopher Faulet <cfaulet@haproxy.com> Tue Jun 30 18:52:32 2020 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Tue Jun 30 19:16:47 2020 +0200
tree b0befc2881d1b888c5358921b7d011ea70c646b0
parent 5d03639ba6fa9e7eee8af8fe489101de65d7f6f1

BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible

In pat_match_str() and pat_math_beg() functions, a trailing zero is
systematically added at the end of the string, even if the buffer is not large
enough to accommodate it. It is a possible buffer overflow. For instance, when
the alpn is matched against a list of strings, the sample fetch is filled with a
non-null terminated string returned by the SSL library. No trailing zero must be
added at the end of this string, because it is outside the buffer.

So, to fix the bug, a trailing zero is added only if the buffer is large enough
to accommodate it. Otherwise, the sample fetch is duplicated. smp_dup() function
adds a trailing zero to the duplicated string, truncating it if it is too long.

This patch should fix the issue #718. It must be backported to all supported
versions.

src/pattern.c

diff --git a/src/pattern.c b/src/pattern.c
index 766bade..416e809 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -453,7 +453,6 @@
 {
 	int icase;
 	struct ebmb_node *node;
-	char prev;
 	struct pattern_tree *elt;
 	struct pattern_list *lst;
 	struct pattern *pattern;
@@ -462,14 +461,27 @@
 
 	/* Lookup a string in the expression's pattern tree. */
 	if (!eb_is_empty(&expr->pattern_tree)) {
-		/* we may have to force a trailing zero on the test pattern */
-		prev = smp->data.u.str.area[smp->data.u.str.data];
-		if (prev)
-			smp->data.u.str.area[smp->data.u.str.data] = '\0';
+		char prev = 0;
+
+		if (smp->data.u.str.data < smp->data.u.str.size) {
+			/* we may have to force a trailing zero on the test pattern and
+			 * the buffer is large enough to accommodate it.
+			 */
+			prev = smp->data.u.str.area[smp->data.u.str.data];
+			if (prev)
+				smp->data.u.str.area[smp->data.u.str.data] = '\0';
+		}
+		else {
+			/* Otherwise, the sample is duplicated. A trailing zero
+			 * is automatically added to the string.
+			 */
+			if (!smp_dup(smp))
+				return NULL;
+		}
+
 		node = ebst_lookup(&expr->pattern_tree, smp->data.u.str.area);
 		if (prev)
 			smp->data.u.str.area[smp->data.u.str.data] = prev;
-
 		if (node) {
 			if (fill) {
 				elt = ebmb_entry(node, struct pattern_tree, node);
@@ -618,7 +630,6 @@
 {
 	int icase;
 	struct ebmb_node *node;
-	char prev;
 	struct pattern_tree *elt;
 	struct pattern_list *lst;
 	struct pattern *pattern;
@@ -627,10 +638,24 @@
 
 	/* Lookup a string in the expression's pattern tree. */
 	if (!eb_is_empty(&expr->pattern_tree)) {
-		/* we may have to force a trailing zero on the test pattern */
-		prev = smp->data.u.str.area[smp->data.u.str.data];
-		if (prev)
-			smp->data.u.str.area[smp->data.u.str.data] = '\0';
+		char prev = 0;
+
+		if (smp->data.u.str.data < smp->data.u.str.size) {
+			/* we may have to force a trailing zero on the test pattern and
+			 * the buffer is large enough to accommodate it.
+			 */
+			prev = smp->data.u.str.area[smp->data.u.str.data];
+			if (prev)
+				smp->data.u.str.area[smp->data.u.str.data] = '\0';
+		}
+		else {
+			/* Otherwise, the sample is duplicated. A trailing zero
+			 * is automatically added to the string.
+			 */
+			if (!smp_dup(smp))
+				return NULL;
+		}
+
 		node = ebmb_lookup_longest(&expr->pattern_tree,
 					   smp->data.u.str.area);
 		if (prev)