BUG/MEDIUM: server: fix misuse of format string in load-server-state's warnings

Commit e11cfcd ("MINOR: config: new backend directives:
load-server-state-from-file and server-state-file-name") introduced a bug
which can cause haproxy to crash upon startup by sending user-controlled
data in a format string when emitting a warning. Fix the way the warning
message is built to avoid this.

No backport is needed, this was introduced in 1.6-dev6 only.

diff --git a/src/server.c b/src/server.c
index c97c5bf8721c6d8492e7f1abef5af394cd16f607..8ddff00b7c89d67dd91bd041e8c33676f8ae4152 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -1897,9 +1897,8 @@ struct server *server_find_best_match(struct proxy *bk, char *name, int id, int
 /* Update a server state using the parameters available in the params list */
 static void srv_update_state(struct server *srv, int version, char **params)
 {
-       int msg_default_len;
        char *p;
-       struct chunk *msg = get_trash_chunk();
+       struct chunk *msg;
 
        /* fields since version 1
         * and common to all other upcoming versions
@@ -1916,8 +1915,7 @@ static void srv_update_state(struct server *srv, int version, char **params)
        int bk_f_forced_id;
        int srv_f_forced_id;
 
-       chunk_printf(msg, "server-state application failed for server '%s/%s'", srv->proxy->id, srv->id);
-       msg_default_len = msg->len;
+       msg = get_trash_chunk();
        switch (version) {
                case 1:
                        /*
@@ -2045,7 +2043,7 @@ static void srv_update_state(struct server *srv, int version, char **params)
 
 
                        /* don't apply anything if one error has been detected */
-                       if (msg->len > msg_default_len)
+                       if (msg->len)
                                goto out;
 
                        /* recover operational state and apply it to this server
@@ -2151,11 +2149,9 @@ static void srv_update_state(struct server *srv, int version, char **params)
        }
 
  out:
-       if (msg->len > msg_default_len) {
-               chunk_appendf(msg, "\n");
-               Warning(msg->str);
-       }
-
+       if (msg->len)
+               Warning("server-state application failed for server '%s/%s'%s",
+                       srv->proxy->id, srv->id, msg->str);
 }
 
 /* This function parses all the proxies and only take care of the backends (since we're looking for server)