From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Fri, 6 Sep 2024 14:21:02 +0000 (+0200)
Subject: BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()
X-Git-Tag: v3.1-dev8~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3449525a0204841a62a9fa41119ec8c47f21fde8;p=thirdparty%2Fhaproxy.git

BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg()

This is a complementary patch to a68affeaa ("BUG/MINOR: pattern: a sample
marked as const could be written"). Indeed the same logic from
pat_match_str() is used there, but we lack the check to ensure that the
sample is not const before writing data to it.

It could be backported to all stable versions.
---

diff --git a/src/pattern.c b/src/pattern.c
index 90f386e9a6..4b7540b409 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -651,11 +651,18 @@ struct pattern *pat_match_beg(struct sample *smp, struct pattern_expr *expr, int
 
 		if (smp->data.u.str.data < smp->data.u.str.size) {
 			/* we may have to force a trailing zero on the test pattern and
-			 * the buffer is large enough to accommodate it.
+			 * the buffer is large enough to accommodate it. If the flag
+			 * CONST is set, duplicate the string
 			 */
 			prev = smp->data.u.str.area[smp->data.u.str.data];
-			if (prev)
-				smp->data.u.str.area[smp->data.u.str.data] = '\0';
+			if (prev) {
+				if (smp->flags & SMP_F_CONST) {
+					if (!smp_dup(smp))
+						return NULL;
+				} else {
+					smp->data.u.str.area[smp->data.u.str.data] = '\0';
+				}
+			}
 		}
 		else {
 			/* Otherwise, the sample is duplicated. A trailing zero