commit efd3aa93412648cf923bf3d2e171c0b84e9d7a69
author KOVACS Krisztian <hidden@balabit.com> Wed Nov 19 10:53:20 2014 +0100
committer Willy Tarreau <w@1wt.eu> Fri Nov 21 07:45:17 2014 +0100
tree fcac7ce917c949dd96b8b62259a9f47c31072c69
parent 9654e57fac86c773091b892f42015ba2ba56be5a

BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information

Previously, if hdr_v2->len was less than the length of the protocol
specific address information we could have read after the end of the
buffer and initialize the sockaddr structure with junk.

Signed-off-by: KOVACS Krisztian <hidden@balabit.com>

[WT: this is only tagged medium since proxy protocol is only used from
 trusted sources]

This must be backported to 1.5.

src/connection.c

diff --git a/src/connection.c b/src/connection.c
index 3af6d9a..b9f5c42 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -424,6 +424,9 @@
 	case 0x01: /* PROXY command */
 		switch (hdr_v2->fam) {
 		case 0x11:  /* TCPv4 */
+			if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET)
+				goto bad_header;
+
 			((struct sockaddr_in *)&conn->addr.from)->sin_family = AF_INET;
 			((struct sockaddr_in *)&conn->addr.from)->sin_addr.s_addr = hdr_v2->addr.ip4.src_addr;
 			((struct sockaddr_in *)&conn->addr.from)->sin_port = hdr_v2->addr.ip4.src_port;
@@ -433,6 +436,9 @@
 			conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET;
 			break;
 		case 0x21:  /* TCPv6 */
+			if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET6)
+				goto bad_header;
+
 			((struct sockaddr_in6 *)&conn->addr.from)->sin6_family = AF_INET6;
 			memcpy(&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr, hdr_v2->addr.ip6.src_addr, 16);
 			((struct sockaddr_in6 *)&conn->addr.from)->sin6_port = hdr_v2->addr.ip6.src_port;