BUG/MAJOR: server: the "sni" directive could randomly cause trouble

The "sni" server directive does some bad stuff on many occasions because
it works on a sample of type string and limits len to size-1 by hand. The
problem is that size used to be zero on many occasions before the recent
changes to smp_dup() and that it effectively results in setting len to -1
and writing the zero byte *before* the string (and not terminating the
string).

This patch makes use of the recently introduced smp_make_safe() to address
this issue.

This fix must be backported to 1.6.

diff --git a/src/backend.c b/src/backend.c
index 2c9429975d51afe5dcb73f273ce9909eda0759fb..faf872c0b16345b305c257a592625bfeb292a805 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1217,12 +1217,7 @@ int connect_server(struct stream *s)
                        /* restore the pointers */
                        b_adv(s->req.buf, rewind);
 
-                       if (smp) {
-                               /* get write access to terminate with a zero */
-                               smp_dup(smp);
-                               if (smp->data.u.str.len >= smp->data.u.str.size)
-                                       smp->data.u.str.len = smp->data.u.str.size - 1;
-                               smp->data.u.str.str[smp->data.u.str.len] = 0;
+                       if (smp_make_safe(smp)) {
                                ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
                                srv_conn->flags |= CO_FL_PRIVATE;
                        }