From: Willy Tarreau Date: Fri, 12 Feb 2016 16:11:12 +0000 (+0100) Subject: BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation X-Git-Tag: v1.7-dev2~93 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3724da126115d6ad0ccecbbcea05c54b4accaac4;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation After seeing previous ALPN fix, I suspected that NPN code was wrong as well, and indeed it was since ALPN was copied from it. This fix must be backported into 1.6 and 1.5. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d68151be3c..bdd228fd98 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5231,9 +5231,12 @@ static int bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct bin free(conf->npn_str); - /* the NPN string is built as a suite of ( )* */ + /* the NPN string is built as a suite of ( )*, + * so we reuse each comma to store the next and need + * one more for the end of the string. + */ conf->npn_len = strlen(args[cur_arg + 1]) + 1; - conf->npn_str = calloc(1, conf->npn_len); + conf->npn_str = calloc(1, conf->npn_len + 1); memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len); /* replace commas with the name length */