BUG/MINOR: tools: url2sa reads too far when no port nor path
url2sa() still have an unfortunate case where it reads 1 byte too far,
it happens when no port or path are specified in the URL, and could
crash if the byte after the URL is not allocated (mostly with ASAN).
This case is never triggered in old versions of haproxy because url2sa
is used with buffers which are way bigger than the URL. It is only
triggered with the httpclient.
Should be bacported in every stable branches.
(cherry picked from commit 3d7a9186dd650dc4106a64bb57c49b990c3cbbeb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 6342cc533d56cc8d44b0c4e7f7f5fb39a2fd87cb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/tools.c b/src/tools.c
index 5e83230..bbd6a76 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -1664,7 +1664,7 @@
end++;
/* Decode port. */
- if (*end == ':') {
+ if (end < url + ulen && *end == ':') {
end++;
default_port = read_uint(&end, url + ulen);
}
@@ -1697,7 +1697,7 @@
curr += ret;
/* Decode port. */
- if (*curr == ':') {
+ if (curr < url + ulen && *curr == ':') {
curr++;
default_port = read_uint(&curr, url + ulen);
}
@@ -1731,7 +1731,7 @@
}
/* Decode port. */
- if (*end == ':') {
+ if (end < url + ulen && *end == ':') {
end++;
default_port = read_uint(&end, url + ulen);
}