From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 25 Mar 2022 16:37:51 +0000 (+0100)
Subject: BUG/MINOR: tools: url2sa reads too far when no port nor path
X-Git-Tag: v2.6-dev4~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3d7a9186dd650dc4106a64bb57c49b990c3cbbeb;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tools: url2sa reads too far when no port nor path

url2sa() still have an unfortunate case where it reads 1 byte too far,
it happens when no port or path are specified in the URL, and could
crash if the byte after the URL is not allocated (mostly with ASAN).

This case is never triggered in old versions of haproxy because url2sa
is used with buffers which are way bigger than the URL. It is only
triggered with the httpclient.

Should be bacported in every stable branches.
---

diff --git a/src/tools.c b/src/tools.c
index 33cbfc9f6a..34f86321ca 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -1679,7 +1679,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
 		end++;
 
 		/* Decode port. */
-		if (*end == ':') {
+		if (end < url + ulen && *end == ':') {
 			end++;
 			default_port = read_uint(&end, url + ulen);
 		}
@@ -1712,7 +1712,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
 			curr += ret;
 
 			/* Decode port. */
-			if (*curr == ':') {
+			if (curr < url + ulen && *curr == ':') {
 				curr++;
 				default_port = read_uint(&curr, url + ulen);
 			}
@@ -1746,7 +1746,7 @@ int url2sa(const char *url, int ulen, struct sockaddr_storage *addr, struct spli
 			}
 
 			/* Decode port. */
-			if (*end == ':') {
+			if (end < url + ulen && *end == ':') {
 				end++;
 				default_port = read_uint(&end, url + ulen);
 			}