From: Willy Tarreau <w@1wt.eu>
Date: Wed, 22 Jul 2015 14:45:36 +0000 (+0200)
Subject: BUG/MAJOR: dns: fix the length of the string to be copied
X-Git-Tag: v1.6-dev3~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d69d6f367879c52013946026239cb7d56c9f6f2b;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: dns: fix the length of the string to be copied

Jan A. Bruder reported that some very specific hostnames on server
lines were causing haproxy to crash on startup. Given that hist
backtrace showed some heap corruption, it was obvious there was an
overflow somewhere. The bug in fact is a typo in dns_str_to_dn_label()
which mistakenly copies one extra byte from the host name into the
output value, thus effectively corrupting the structure.

The bug triggers while parsing the next server of similar length
after the corruption, which generally triggers at config time but
could theorically crash at any moment during runtime depending on
what malloc sizes are needed next. This is why it's tagged major.

No backport is needed, this bug was introduced in 1.6-dev2.
---

diff --git a/src/dns.c b/src/dns.c
index 37e041cf0b..5bc57e5609 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -947,7 +947,7 @@ char *dns_str_to_dn_label(const char *string, char *dn, int dn_len)
 	if (dn_len < i + offset)
 		return NULL;
 
-	i = strlen(string) + offset;
+	i = strlen(string);
 	memcpy(dn + offset, string, i);
 	dn[i + offset] = '\0';
 	/* avoid a '\0' at the beginning of dn string which may prevent the for loop