upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-25 10:42:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()

Browse source 
In resolv_dn_label_to_str(), size for a dn label was stored into an integer
from a signed char without a cast to unsigned. So dn label with a size of
128 bytes or more become negative, skipping this way the copy loop and
desynchronizing input vs output.

In addition, the size of the destination string was only checked at the
begining, against the dn string length. But it must also be checked for
every dn label, to be sure. The dn string can be forged to copied more bytes
than expected.

This patch must be backported to all stable versions.
This commit is contained in:
Christopher Faulet 2026-05-22 11:13:30 +02:00
parent 1ed4ef6659
commit 75f72c2eb9
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/resolvers.c
View file

@ -1855,7 +1855,12 @@ int resolv_dn_label_to_str(const char *dn, int dn_len, char *str, int str_len)
ptr = str;
for (i = 0; i < dn_len; ++i) {
sz = dn[i];
sz = (unsigned char)dn[i];
/* Check str_len adding 1 for the dot if (i!=0) */
if (str_len < sz+i+(!!i))
return -1;
if (i)
*ptr++ = '.';
/* copy the string at i+1 to lower case */