BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header

Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory overwrite.

This fix must also be backported to 1.5.

diff --git a/src/connection.c b/src/connection.c
index 20a911bcd41f992c20c65c9ffde38d7f5fc517a0..3435b1ac74462d9c48efad4d39c674e125499f51 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
        char *value = NULL;
        struct tlv_ssl *tlv;
        int ssl_tlv_len = 0;
+       struct chunk *cn_trash;
 #endif
 
        if (buf_len < PP2_HEADER_LEN)
@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
                                tlv->verify = htonl(ssl_sock_get_verify_result(remote));
                        }
                        if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
-                               if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
-                                       tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
+                               cn_trash = get_trash_chunk();
+                               if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
+                                       tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
                                        ssl_tlv_len += tlv_len;
                                }
                        }