From 57b526e0224cd6523689a0ecd05efd7f28f1edf0 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 22 May 2026 15:22:28 +0200 Subject: [PATCH] BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer When parsing the agent-check reply, we first loop on the response to find the newline character, to add a NULL-byte at the end of the line. However, this loop is not bounded to the data available in the buffer. So it is possible to read bytes outside the buffer and eventually write a NULL-byte ouside the buffer. So let's check for the end of the buffer when looping on the agent-check reply. This patch must be backported to all stable versions. --- src/tcpcheck.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/tcpcheck.c b/src/tcpcheck.c index b7203d1fa..7a756c1d2 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -989,7 +989,7 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t const char *sc = NULL; /* maxconn */ const char *err = NULL; /* first error to report */ const char *wrn = NULL; /* first warning to report */ - char *cmd, *p; + char *cmd, *p, *end; TRACE_ENTER(CHK_EV_TCPCHK_EXP, check); @@ -1018,10 +1018,11 @@ enum tcpcheck_eval_ret tcpcheck_agent_expect_reply(struct check *check, struct t */ p = b_head(&check->bi); - while (*p && *p != '\n' && *p != '\r') + end = b_tail(&check->bi); + while (p < end && *p && *p != '\n' && *p != '\r') p++; - if (!*p) { + if (!*p || p == end) { if (!last_read) goto wait_more_data;