From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu, 25 Oct 2018 18:17:45 +0000 (+0200)
Subject: BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB).
X-Git-Tag: v1.9-dev5~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9b8b6b6beb84b6b942d24eda56bfbe3812cc294;p=thirdparty%2Fhaproxy.git

BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB).

With this patch we support cache size larger than 2047 (MB) and prevent haproxy from crashing when "total-max-size" is parsed as negative values by atoi().

The limit at parsing time is 4095 MB (UINT_MAX >> 20).

May be backported to 1.8.
---

diff --git a/src/cache.c b/src/cache.c
index d24115431a..9070e996dc 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -838,17 +838,32 @@ int cfg_parse_cache(const char *file, int linenum, char **args, int kwm)
 			tmp_cache_config->maxobjsz = 0;
 		}
 	} else if (strcmp(args[0], "total-max-size") == 0) {
-		int maxsize;
+		unsigned long int maxsize;
+		char *err;
 
 		if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
 			err_code |= ERR_ABORT;
 			goto out;
 		}
 
+		maxsize = strtoul(args[1], &err, 10);
+		if (err == args[1] || *err != '\0') {
+			ha_warning("parsing [%s:%d]: total-max-size wrong value '%s'\n",
+			           file, linenum, args[1]);
+			err_code |= ERR_ABORT;
+			goto out;
+		}
+
+		if (maxsize > (UINT_MAX >> 20)) {
+			ha_warning("parsing [%s:%d]: \"total-max-size\" (%s) must not be greater than %u\n",
+			           file, linenum, args[1], UINT_MAX >> 20);
+			err_code |= ERR_ABORT;
+			goto out;
+		}
+
 		/* size in megabytes */
-		maxsize = atoi(args[1]) * 1024 * 1024 / CACHE_BLOCKSIZE;
+		maxsize *= 1024 * 1024 / CACHE_BLOCKSIZE;
 		tmp_cache_config->maxblocks = maxsize;
-
 	} else if (strcmp(args[0], "max-age") == 0) {
 		if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
 			err_code |= ERR_ABORT;