upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-25 10:42:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer

Browse source 
When parsing the agent-check reply, we first loop on the response to find
the newline character, to add a NULL-byte at the end of the line. However,
this loop is not bounded to the data available in the buffer. So it is
possible to read bytes outside the buffer and eventually write a NULL-byte
ouside the buffer.

So let's check for the end of the buffer when looping on the agent-check
reply.

This patch must be backported to all stable versions.
This commit is contained in:
Christopher Faulet 2026-05-22 15:22:28 +02:00
parent 2644f9ddf9
commit 57b526e022
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/tcpcheck.c
View file

@ -989,7 +989,7 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t
const char *sc = NULL; /* maxconn */
const char *err = NULL; /* first error to report */
const char *wrn = NULL; /* first warning to report */
char *cmd, *p;
char *cmd, *p, *end;
TRACE_ENTER(CHK_EV_TCPCHK_EXP, check);
@ -1018,10 +1018,11 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t
*/
p = b_head(&check->bi);
while (*p && *p != '\n' && *p != '\r')
end = b_tail(&check->bi);
while (p < end && *p && *p != '\n' && *p != '\r')
p++;
if (!*p) {
if (!*p || p == end) {
if (!last_read)
goto wait_more_data;