From: Willy Tarreau Date: Fri, 20 May 2022 07:13:38 +0000 (+0200) Subject: BUG/MINOR: cfgparse: abort earlier in case of allocation error X-Git-Tag: v2.6-dev11~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ec9c81ac4fc70c32c6183b59d7bab9cbf1f5c5b;p=thirdparty%2Fhaproxy.git BUG/MINOR: cfgparse: abort earlier in case of allocation error In issue #1563, Coverity reported a very interesting issue about a possible UAF in the config parser if the config file ends in with a very large line followed by an empty one and the large one causes an allocation failure. The issue essentially is that we try to go on with the next line in case of allocation error, while there's no point doing so. If we failed to allocate memory to read one config line, the same may happen on the next one, and blatantly dropping it while trying to parse what follows it. In the best case, subsequent errors will be incorrect due to this prior error (e.g. a large ACL definition with many patterns, followed by a reference of this ACL). Let's just immediately abort in such a condition where there's no recovery possible. This may be backported to all versions once the issue is confirmed to be addressed. Thanks to Ilya for the report. --- diff --git a/src/cfgparse.c b/src/cfgparse.c index 2f886d92ed..976cd59aee 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1860,10 +1860,10 @@ next_line: if (outline == NULL) { ha_alert("parsing [%s:%d]: line too long, cannot allocate memory.\n", file, linenum); - err_code |= ERR_ALERT | ERR_FATAL; + err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT; fatal++; outlinesize = 0; - goto next_line; + goto err; } /* try again */ continue;