From: Willy Tarreau Date: Fri, 31 May 2024 16:52:51 +0000 (+0200) Subject: BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory X-Git-Tag: v3.1-dev1~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba958fb230d4add678913f18eb520d9d5935c968;p=thirdparty%2Fhaproxy.git BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory In GH issue #2586 @Bbulatov reported a theoretical null-deref in env_expand() in case there's no memory anymore to expand an environment variable. The function should return NULL in this case so that the only caller (str2sa_range) sees it. In practice it may only happen during boot thus is harmless but better fix it since it's easy. This can be backported to all versions where this applies. --- diff --git a/src/tools.c b/src/tools.c index 7608e7e6da..b297d046b4 100644 --- a/src/tools.c +++ b/src/tools.c @@ -4627,8 +4627,9 @@ int my_unsetenv(const char *name) * corresponding value. A variable is identified as a series of alphanumeric * characters or underscores following a '$' sign. The string must be * free()able. NULL returns NULL. The resulting string might be reallocated if - * some expansion is made. Variable names may also be enclosed into braces if - * needed (eg: to concatenate alphanum characters). + * some expansion is made (an NULL will be returned on failure). Variable names + * may also be enclosed into braces if needed (eg: to concatenate alphanum + * characters). */ char *env_expand(char *in) { @@ -4683,6 +4684,9 @@ char *env_expand(char *in) } out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1); + if (!out) + goto leave; + if (txt_end > txt_beg) { memcpy(out + out_len, txt_beg, txt_end - txt_beg); out_len += txt_end - txt_beg; @@ -4697,6 +4701,7 @@ char *env_expand(char *in) /* here we know that was allocated and that we don't need anymore */ free(in); +leave: return out; }