lib-master: Prevent read buffer overflow with invalid haproxy header size

This could have happened only for connections from haproxy_trusted_networks,
so it's unlikely to cause any real security issues.

diff --git a/src/lib-master/master-service-haproxy.c b/src/lib-master/master-service-haproxy.c
index 295bf9ac64e9327824b36f7a19317dec629b02b5..c36935d9f6f261c295f7d89c834d316ec3fe88da 100644 (file)
--- a/src/lib-master/master-service-haproxy.c
+++ b/src/lib-master/master-service-haproxy.c
@@ -454,6 +454,12 @@ master_service_haproxy_read(struct master_service_haproxy_conn *hpconn)
                        return -1; /* not a supported command */
                }
 
+               if (i > size) {
+                       i_error("haproxy(v2): Client disconnected: "
+                               "Invalid header size (size=%zu, tlv offset=%zu)",
+                               size, i);
+                       return -1; /* not a supported command */
+               }
                if (master_service_haproxy_parse_tlv(hpconn, rbuf+i, size-i, &error) < 0) {
                        i_error("haproxy(v2): Client disconnected: "
                                "Invalid TLV: %s (cmd=%02x, rip=%s)",