BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation
The first time I tried it (1.6.3) I got a segmentation fault :(
After some investigation with gdb and valgrind I found the
problem. memcpy() copies past an allocated buffer in
"bind_parse_alpn". This patch fixes it.
[wt: this fix must be backported into 1.6 and 1.5]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5cec6a4..d68151b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5279,9 +5279,12 @@
free(conf->alpn_str);
- /* the ALPN string is built as a suite of (<len> <name>)* */
+ /* the ALPN string is built as a suite of (<len> <name>)*,
+ * so we reuse each comma to store the next <len> and need
+ * one more for the end of the string.
+ */
conf->alpn_len = strlen(args[cur_arg + 1]) + 1;
- conf->alpn_str = calloc(1, conf->alpn_len);
+ conf->alpn_str = calloc(1, conf->alpn_len + 1);
memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len);
/* replace commas with the name length */