BUG/MINOR: tools: url2sa reads too far when no port nor path

url2sa() still have an unfortunate case where it reads 1 byte too far,
it happens when no port or path are specified in the URL, and could
crash if the byte after the URL is not allocated (mostly with ASAN).

This case is never triggered in old versions of haproxy because url2sa
is used with buffers which are way bigger than the URL. It is only
triggered with the httpclient.

Should be bacported in every stable branches.

diff --git a/src/tools.c b/src/tools.c
index 33cbfc9f6ac33cf1a49e4b2c15cb77960bcaea12..34f86321ca0f70ae07e423dbc685afaba5093f3c 100644 (file)
--- a/src/tools.c
+++ b/src/tools.c
@@ -1679,7 +1679,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
                end++;
 
                /* Decode port. */
-               if (*end == ':') {
+               if (end < url + ulen && *end == ':') {
                        end++;
                        default_port = read_uint(&end, url + ulen);
                }
@@ -1712,7 +1712,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
                        curr += ret;
 
                        /* Decode port. */
-                       if (*curr == ':') {
+                       if (curr < url + ulen && *curr == ':') {
                                curr++;
                                default_port = read_uint(&curr, url + ulen);
                        }
@@ -1746,7 +1746,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
                        }
 
                        /* Decode port. */
-                       if (*end == ':') {
+                       if (end < url + ulen && *end == ':') {
                                end++;
                                default_port = read_uint(&end, url + ulen);
                        }