BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation The first time I tried it (1.6.3) I got a segmentation fault :( After some investigation with gdb and valgrind I found the problem. memcpy() copies past an allocated buffer in "bind_parse_alpn". This patch fixes it. [wt: this fix must be backported into 1.6 and 1.5]

commit: bef6091cff924aebb6d0006642db50b23ab2ee23 [log] [tgz]
author: Marcoen Hirschberg <marcoen@gmail.com> Fri Feb 12 17:05:24 2016 +0100
committer: Willy Tarreau <w@1wt.eu> Fri Feb 12 17:10:52 2016 +0100
tree: b484fdd89322c93f13d4344e1c2c51b49fe8f3de
parent: 7282d8eb8b5af097c95ad2e82f861415cf0ed3c9 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5cec6a4..d68151b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -5279,9 +5279,12 @@
 
 	free(conf->alpn_str);
 
-	/* the ALPN string is built as a suite of (<len> <name>)* */
+	/* the ALPN string is built as a suite of (<len> <name>)*,
+	 * so we reuse each comma to store the next <len> and need
+	 * one more for the end of the string.
+	 */
 	conf->alpn_len = strlen(args[cur_arg + 1]) + 1;
-	conf->alpn_str = calloc(1, conf->alpn_len);
+	conf->alpn_str = calloc(1, conf->alpn_len + 1);
 	memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len);
 
 	/* replace commas with the name length */
commit	bef6091cff924aebb6d0006642db50b23ab2ee23	[log] [tgz]
author	Marcoen Hirschberg <marcoen@gmail.com>	Fri Feb 12 17:05:24 2016 +0100
committer	Willy Tarreau <w@1wt.eu>	Fri Feb 12 17:10:52 2016 +0100
tree	b484fdd89322c93f13d4344e1c2c51b49fe8f3de
parent	7282d8eb8b5af097c95ad2e82f861415cf0ed3c9 [diff]