From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 7 Oct 2021 16:42:41 +0000 (+0300)
Subject: lib-master: Prevent read buffer overflow with invalid haproxy header size
X-Git-Tag: 2.3.18~200
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ed33ba11b12c625bad8ae574f933556a583369e;p=thirdparty%2Fdovecot%2Fcore.git

lib-master: Prevent read buffer overflow with invalid haproxy header size

This could have happened only for connections from haproxy_trusted_networks,
so it's unlikely to cause any real security issues.
---

diff --git a/src/lib-master/master-service-haproxy.c b/src/lib-master/master-service-haproxy.c
index 295bf9ac64..c36935d9f6 100644
--- a/src/lib-master/master-service-haproxy.c
+++ b/src/lib-master/master-service-haproxy.c
@@ -454,6 +454,12 @@ master_service_haproxy_read(struct master_service_haproxy_conn *hpconn)
 			return -1; /* not a supported command */
 		}
 
+		if (i > size) {
+			i_error("haproxy(v2): Client disconnected: "
+				"Invalid header size (size=%zu, tlv offset=%zu)",
+				size, i);
+			return -1; /* not a supported command */
+		}
 		if (master_service_haproxy_parse_tlv(hpconn, rbuf+i, size-i, &error) < 0) {
 			i_error("haproxy(v2): Client disconnected: "
 				"Invalid TLV: %s (cmd=%02x, rip=%s)",