upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-08 16:23:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint()

Browse source 
In spop_get_varint(), -1 is returned if there is not enough data in the
buffer to decode the variable integer. However a strict comparison agasint
b_data() was performed, which is wrong. A failure must be reported if the
index is greater or equal to b_data().

This patch must be backported as far as 3.2.
This commit is contained in:
Christopher Faulet 2026-06-01 15:25:32 +02:00
parent b8543c54d4
commit 4a540a4fb7
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/mux_spop.c
View file

@ -1033,7 +1033,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
size_t idx = o;
int r;
if (idx > b_data(b))
if (idx >= b_data(b))
return -1;
p = (unsigned char *)b_peek(b, idx++);
@ -1043,7 +1043,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
r = 4;
do {
if (idx > b_data(b))
if (idx >= b_data(b))
return -1;
p = (unsigned char *)b_peek(b, idx++);
*i += (uint64_t)*p << r;