From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 17 Apr 2024 18:52:46 +0000 (+0200)
Subject: BUG/MINOR: ssl: fix crt-store load parsing
X-Git-Tag: v3.0-dev8~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10224d72fd5b4c793d6eb9e6ce84e42203c81ad7;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: fix crt-store load parsing

The crt-store load line parser relies on offsets of member of the
ckch_conf struct. However the new "alias" keyword as an offset to
-1, because it does not need to be used. Plan was to handle it that way
in the parser, but it wasn't supported yet. So -1 was still used in an
offset computation which was not used, but ASAN could see the problem.

This patch fixes the issue by using a signed type for the offset value,
so any negative value would be skipped. It also introduced a
PARSE_TYPE_NONE for the parser.

No backport needed.
---

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index 058ea15ff5..6951126e2f 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -169,14 +169,15 @@ struct cert_exts {
 
 /* argument types */
 enum parse_type_t {
-	PARSE_TYPE_INT = 0,
+	PARSE_TYPE_NONE = 0,
+	PARSE_TYPE_INT,
 	PARSE_TYPE_STR,         /* string which is strdup() */
 	PARSE_TYPE_ONOFF,       /* "on" or "off" keyword */
 };
 
 struct ckch_conf_kws {
 	const char *name;
-	size_t offset;
+	ssize_t offset;
 	enum parse_type_t type;
 	int (*func)(const char *path, char *buf, struct ckch_data *d, char **err);
 	char **base; /* ptr to the base path */
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 81752e1910..40d929d922 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3997,13 +3997,13 @@ static struct cli_kw_list cli_kws = {{ },{
 INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
 
 struct ckch_conf_kws ckch_conf_kws[] = {
-	{ "alias",                               -1,                 0, NULL,                                  NULL },
+	{ "alias",                               -1,                 PARSE_TYPE_NONE, NULL,                                  NULL },
 	{ "crt",    offsetof(struct ckch_conf, crt),    PARSE_TYPE_STR, ssl_sock_load_pem_into_ckch,           &global_ssl.crt_base },
 	{ "key",    offsetof(struct ckch_conf, key),    PARSE_TYPE_STR, ssl_sock_load_key_into_ckch,           &global_ssl.key_base },
 	{ "ocsp",   offsetof(struct ckch_conf, ocsp),   PARSE_TYPE_STR, ssl_sock_load_ocsp_response_from_file, &global_ssl.crt_base },
 	{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ssl_sock_load_issuer_file_into_ckch,   &global_ssl.crt_base },
 	{ "sctl",   offsetof(struct ckch_conf, sctl),   PARSE_TYPE_STR, ssl_sock_load_sctl_from_file,          &global_ssl.crt_base },
-	{ NULL,     0,                                  PARSE_TYPE_STR, NULL,                                  NULL                 }
+	{ NULL,     -1,                                  PARSE_TYPE_STR, NULL,                                  NULL                 }
 };
 
 /* crt-store does not try to find files, but use the stored filename */
@@ -4021,8 +4021,13 @@ int ckch_store_load_files(struct ckch_conf *f, struct ckch_store *c, char **err)
 	}
 
 	for (i = 0; ckch_conf_kws[i].name; i++) {
-		char *src = *(char **)((intptr_t)f + (ptrdiff_t)ckch_conf_kws[i].offset);
+		char *src = NULL;
 		char **base = ckch_conf_kws[i].base;
+
+		if (ckch_conf_kws[i].offset < 0)
+			continue;
+
+		src = *(char **)((intptr_t)f + (ptrdiff_t)ckch_conf_kws[i].offset);
 		if (src) {
 			char *path;
 			char path_base[PATH_MAX];