git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Tim Duesterhus <tim@bastelstu.be>
	Fri, 12 Jun 2020 13:58:48 +0000 (15:58 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Fri, 12 Jun 2020 14:18:02 +0000 (16:18 +0200)
commit	2867b402ac731898b1081343bd3622e2ce4f5dd5
tree	43f47f1d64d093af549f4a22e5633f44abe54907	tree \| snapshot
parent	f28d5c9ac6af9fc6cfb8efecdaa1a42b4a93d351	commit \| diff

BUG/MEDIUM: checks: Fix off-by-one in allocation of SMTP greeting cmd

The allocation did not account for either the trailing null byte or the
space, leading to a buffer overwrite.

This bug was detected by an assertion failure in the allocator. But can
also be easily detected using valgrind:

    ==25827== Invalid write of size 1
    ==25827==    at 0x6529759: __vsprintf_chk (vsprintf_chk.c:84)
    ==25827==    by 0x65296AC: __sprintf_chk (sprintf_chk.c:31)
    ==25827==    by 0x4D6AB7: sprintf (stdio2.h:33)
    ==25827==    by 0x4D6AB7: proxy_parse_smtpchk_opt (check.c:1799)
    ==25827==    by 0x4A7DDD: cfg_parse_listen (cfgparse-listen.c:2269)
    ==25827==    by 0x494AD3: readcfgfile (cfgparse.c:2167)
    ==25827==    by 0x542995: init (haproxy.c:2021)
    ==25827==    by 0x421DD2: main (haproxy.c:3121)
    ==25827==  Address 0x78712a8 is 0 bytes after a block of size 24 alloc'd
    ==25827==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25827==    by 0x4D6A8C: proxy_parse_smtpchk_opt (check.c:1797)
    ==25827==    by 0x4A7DDD: cfg_parse_listen (cfgparse-listen.c:2269)
    ==25827==    by 0x494AD3: readcfgfile (cfgparse.c:2167)
    ==25827==    by 0x542995: init (haproxy.c:2021)
    ==25827==    by 0x421DD2: main (haproxy.c:3121)

This patch fixes issue #681.

This bug was introduced in commit fbcc77c6baa7edee85be9c2384d12c55ef651a5a,
which first appeared in 2.2-dev7. No backport needed.