Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / dcec0aea3af19e612550da8efcbe817c7c5e7e97^! / . / src
commitdcec0aea3af19e612550da8efcbe817c7c5e7e97[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Mon May 17 10:35:08 2021 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Thu Jun 17 16:08:11 2021 +0200
tree72f34e92186835c923421eef2bc66dfb1a5b3195
parentc9405bb1e05cb1a4c150c750adf862b553c5f4a2 [diff]
BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo

A memory allocation failure happening in comp_append_type or
comp_append_algo called while parsing compression options would have
resulted in a crash. These functions are only called during
configuration parsing.

It was raised in GitHub issue #1233.
It could be backported to all stable branches.

(cherry picked from commit 6443bcc2e1f2e1e11af76ef460d8241f06223de8)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit a3a8d50d992ab145e5c353cc36e8a787d3aead57)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 46bd5dca638832fea6ce529caebf07cb034b9e3b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 2765a6473cb1f98a424b7c19db4b8e52c8ed4350)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/compression.c b/src/compression.c
index 413a9d8..88ca0bc 100644
--- a/src/compression.c
+++ b/src/compression.c

@@ -112,12 +112,15 @@
 
 /*
  * Add a content-type in the configuration
+ * Returns 0 in case of success, 1 in case of allocation failure.
  */
 int comp_append_type(struct comp *comp, const char *type)
 {
 	struct comp_type *comp_type;
 
 	comp_type = calloc(1, sizeof(*comp_type));
+	if (!comp_type)
+		return 1;
 	comp_type->name_len = strlen(type);
 	comp_type->name = strdup(type);
 	comp_type->next = comp->types;
@@ -127,6 +130,8 @@
 
 /*
  * Add an algorithm in the configuration
+ * Returns 0 in case of success, -1 if the <algo> is unmanaged, 1 in case of
+ * allocation failure.
  */
 int comp_append_algo(struct comp *comp, const char *algo)
 {
@@ -136,6 +141,8 @@
 	for (i = 0; comp_algos[i].cfg_name; i++) {
 		if (!strcmp(algo, comp_algos[i].cfg_name)) {
 			comp_algo = calloc(1, sizeof(*comp_algo));
+			if (!comp_algo)
+				return 1;
 			memmove(comp_algo, &comp_algos[i], sizeof(struct comp_algo));
 			comp_algo->next = comp->algos;
 			comp->algos = comp_algo;

diff --git a/src/flt_http_comp.c b/src/flt_http_comp.c
index a4e66fa..0c75aa0 100644
--- a/src/flt_http_comp.c
+++ b/src/flt_http_comp.c

@@ -1357,11 +1357,17 @@
 			return -1;
 		}
 		while (*(args[cur_arg])) {
-			if (comp_append_algo(comp, args[cur_arg]) < 0) {
-				memprintf(err, "'%s' : '%s' is not a supported algorithm.\n",
-					  args[0], args[cur_arg]);
+			int retval = comp_append_algo(comp, args[cur_arg]);
+			if (retval) {
+				if (retval < 0)
+					memprintf(err, "'%s' : '%s' is not a supported algorithm.\n",
+						  args[0], args[cur_arg]);
+				else
+					memprintf(err, "'%s' : out of memory while parsing algo '%s'.\n",
+						  args[0], args[cur_arg]);
 				return -1;
 			}
+
 			if (proxy->comp->algos->init(&ctx, 9) == 0)
 				proxy->comp->algos->end(&ctx);
 			else {
@@ -1383,7 +1389,10 @@
 			return -1;
 		}
 		while (*(args[cur_arg])) {
-			comp_append_type(comp, args[cur_arg]);
+			if (comp_append_type(comp, args[cur_arg])) {
+				memprintf(err, "'%s': out of memory.", args[0]);
+				return -1;
+			}
 			cur_arg++;
 			continue;
 		}