From c41c731f5e0048ff9d79b5f2b009e0a53cafb6ef Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 26 May 2026 09:23:48 +0200 Subject: [PATCH] BUG/MINOR: ssl-hello: make use of the null-terminated servername In ssl_sock_switchctx_cbk(), the servername is copied into the trash and null-terminated, but later in the call to strncpy() it's still used as-is, so anything that follows it will be copied as well, which is not really expected. Let's make the servername point to the trash after sanitizing it, like ssl_sock_switchcbk_wolfSSL_cbk() does. This can be backported to 2.6 since it was introduced with commit a996763619 ("BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error"). --- src/ssl_clienthello.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index 7d769611b..3148de24d 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -448,6 +448,7 @@ sni_lookup: for (i = 0; i < trash.size && i < servername_len; i++) trash.area[i] = tolower((unsigned char)servername[i]); trash.area[i] = 0; + servername = trash.area; HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); sni_ctx = ssl_sock_choose_sni_ctx(s, conn, trash.area, has_rsa_sig, has_ecdsa_sig);