BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation

After seeing previous ALPN fix, I suspected that NPN code was wrong
as well, and indeed it was since ALPN was copied from it. This fix
must be backported into 1.6 and 1.5.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d68151be3ca5db9b0d5b6583b14b396ec1f27c64..bdd228fd98ecfe06378bbfa7bb76f06881c2e130 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5231,9 +5231,12 @@ static int bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct bin
 
        free(conf->npn_str);
 
-       /* the NPN string is built as a suite of (<len> <name>)* */
+       /* the NPN string is built as a suite of (<len> <name>)*,
+        * so we reuse each comma to store the next <len> and need
+        * one more for the end of the string.
+        */
        conf->npn_len = strlen(args[cur_arg + 1]) + 1;
-       conf->npn_str = calloc(1, conf->npn_len);
+       conf->npn_str = calloc(1, conf->npn_len + 1);
        memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len);
 
        /* replace commas with the name length */