From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 5 Jun 2025 08:41:46 +0000 (+0200)
Subject: BUG/MEDIUM: cli: Properly parse empty lines and avoid crashed
X-Git-Tag: v3.3-dev1~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5d41803d3b432a042a61e93741e278cfea7c208;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: cli: Properly parse empty lines and avoid crashed

Empty lines was not properly parsed and could lead to crashes because the
last argument was parsed outside of the cmdline buffer. Indeed, the last
argument is parsed to look for an eventual payload pattern. It is started
one character after the newline at the end of the command line. But it is
only valid for an non-empty command line.

So, now, this case is properly detected when we leave if an empty line is
detected.

This patch must be backported to 3.2.
---

diff --git a/src/cli.c b/src/cli.c
index 6fdeff94c..5ad88d48d 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -987,12 +987,18 @@ int cli_parse_cmdline(struct appctx *appctx)
 				continue;
 			}
 
+			if (!len)
+				goto process_cmdline;
+
 			/* The end of the command line was reached. Change the trailing \r, if any,
 			 * by a null byte. For the command line, the trailing \r and \n are removed,
 			 * but we conserve them for payload mode.
 			 */
-			if (str[len-1] == '\r')
+			if (str[len-1] == '\r') {
 				str[--len] = '\0';
+				if (!len)
+					goto process_cmdline;
+			}
 
 			/*
 			 * Look for the "payload start" pattern at the end of a
@@ -1055,6 +1061,7 @@ int cli_parse_cmdline(struct appctx *appctx)
 			}
 		}
 
+	  process_cmdline:
 		if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD)) {
 			appctx->st0 = CLI_ST_PROCESS_CMDLINE;
 			break;