upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-25 10:42:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values

Browse source 
tcpcheck_spop_expect_hello() stores the SPOA agent-supplied status-code
varint directly into check->code (signed short) without range validation.
The code is later used as an index into spop_err_reasons[100]. Let's
just replace invalid status codes with SPOP_ERR_UNKNOWN to avoid any
problem.

The SPOP tcp-check was introduced in 3.1 so this fix must be backported
to 3.2.
This commit is contained in:
Willy Tarreau 2026-05-24 18:14:50 +02:00
parent 0657621669
commit 6edc153a09
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/tcpcheck.c
View file

@ -834,6 +834,8 @@ enum tcpcheck_eval_ret tcpcheck_spop_expect_hello(struct check *check, struct tc
goto invalid_frame;
if (decode_varint(&ptr, end, &sz) == -1)
goto invalid_frame;
if (sz >= SPOP_ERR_ENTRIES)
sz = SPOP_ERR_UNKNOWN;
check->code = sz;
}